Vulnerabilities > CVE-2017-1000408 - Missing Release of Resource after Effective Lifetime vulnerability in GNU Glibc 2.1.1

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
gnu
CWE-772
nessus
exploit available

Summary

A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.

Vulnerable Configurations

Part Description Count
Application
Gnu
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • HTTP DoS
    An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.

Exploit-Db

descriptionglibc ld.so - Memory Leak / Buffer Overflow. CVE-2017-1000408,CVE-2017-1000409. Local exploit for Linux platform. Tags: Local
fileexploits/linux/local/43331.txt
idEDB-ID:43331
last seen2017-12-13
modified2017-12-13
platformlinux
port
published2017-12-13
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/43331/
titleglibc ld.so - Memory Leak / Buffer Overflow
typelocal

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-30.NASL
    descriptionThis update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2018-01-16
    plugin id106059
    published2018-01-16
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106059
    titleopenSUSE Security Update : glibc (openSUSE-2018-30)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2018-30.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106059);
      script_version("3.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-1000408", "CVE-2017-1000409", "CVE-2017-15670", "CVE-2017-15671", "CVE-2017-15804", "CVE-2017-16997", "CVE-2018-1000001");
    
      script_name(english:"openSUSE Security Update : glibc (openSUSE-2018-30)");
      script_summary(english:"Check for the openSUSE-2018-30 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for glibc fixes the following issues :
    
      - A privilege escalation bug in the realpath() function
        has been fixed. [CVE-2018-1000001, bsc#1074293]
    
      - A memory leak and a buffer overflow in the dynamic ELF
        loader has been fixed. [CVE-2017-1000408,
        CVE-2017-1000409, bsc#1071319]
    
      - An issue in the code handling RPATHs was fixed that
        could have been exploited by an attacker to execute code
        loaded from arbitrary libraries. [CVE-2017-16997,
        bsc#1073231]
    
      - A potential crash caused by a use-after-free bug in
        pthread_create() has been fixed. [bsc#1053188]
    
      - A bug that prevented users to build shared objects which
        use the optimized libmvec.so API has been fixed.
        [bsc#1070905]
    
      - A memory leak in the glob() function has been fixed.
        [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804,
        bsc#1064569, bsc#1064580, bsc#1064583]
    
      - A bug that would lose the syscall error code value in
        case of crashes has been fixed. [bsc#1063675]
    
    This update was imported from the SUSE:SLE-12-SP2:Update update
    project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1051042"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1053188"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1063675"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1064569"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1064580"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1064583"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1070905"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1071319"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1073231"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1074293"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected glibc packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-static");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-static-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-extra");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-extra-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-i18ndata");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-info");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-obsolete");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-obsolete-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-profile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-profile-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-utils-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-utils-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-utils-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-utils-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nscd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nscd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/01/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-debuginfo-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-debugsource-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-devel-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-devel-debuginfo-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-devel-static-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-extra-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-extra-debuginfo-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-html-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-i18ndata-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-info-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-locale-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-locale-debuginfo-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-obsolete-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-obsolete-debuginfo-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-profile-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-utils-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-utils-debuginfo-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"glibc-utils-debugsource-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"nscd-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"nscd-debuginfo-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"glibc-utils-32bit-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"glibc-utils-debuginfo-32bit-2.22-4.12.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-debuginfo-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-debugsource-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-devel-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-devel-debuginfo-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-devel-static-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-extra-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-extra-debuginfo-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-html-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-i18ndata-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-info-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-locale-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-locale-debuginfo-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-obsolete-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-obsolete-debuginfo-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-profile-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-utils-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-utils-debuginfo-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"glibc-utils-debugsource-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"nscd-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"nscd-debuginfo-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-32bit-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-debuginfo-32bit-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-devel-32bit-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-devel-debuginfo-32bit-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-devel-static-32bit-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-locale-32bit-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-locale-debuginfo-32bit-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-profile-32bit-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-utils-32bit-2.22-10.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-utils-debuginfo-32bit-2.22-10.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc-utils / glibc-utils-32bit / glibc-utils-debuginfo / etc");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-828F8A8FC6.NASL
    descriptionThis update addresses RHBZ#1468837, which caused bash to lack job control in mock chroots. (Note that glibc inside the chroot needs to be upgraded for the fix to be effective.) In additon, two dynamic linker issues where fixed which are not security bugs, but received CVE IDs nevertheless (RHBZ#1524867, CVE-2017-1000408, CVE-2017-1000409). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-15
    plugin id105918
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105918
    titleFedora 27 : glibc (2017-828f8a8fc6)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-828f8a8fc6.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(105918);
      script_version("3.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-1000408", "CVE-2017-1000409");
      script_xref(name:"FEDORA", value:"2017-828f8a8fc6");
    
      script_name(english:"Fedora 27 : glibc (2017-828f8a8fc6)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update addresses RHBZ#1468837, which caused bash to lack job
    control in mock chroots. (Note that glibc inside the chroot needs to
    be upgraded for the fix to be effective.)
    
    In additon, two dynamic linker issues where fixed which are not
    security bugs, but received CVE IDs nevertheless (RHBZ#1524867,
    CVE-2017-1000408, CVE-2017-1000409).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-828f8a8fc6"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected glibc package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:glibc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/01/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC27", reference:"glibc-2.26-21.fc27")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0074-1.NASL
    descriptionThis update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106044
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106044
    titleSUSE SLED12 / SLES12 Security Update : glibc (SUSE-SU-2018:0074-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:0074-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106044);
      script_version("1.8");
      script_cvs_date("Date: 2019/09/10 13:51:46");
    
      script_cve_id("CVE-2017-1000408", "CVE-2017-1000409", "CVE-2017-15670", "CVE-2017-15671", "CVE-2017-15804", "CVE-2017-16997", "CVE-2018-1000001");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : glibc (SUSE-SU-2018:0074-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for glibc fixes the following issues :
    
      - A privilege escalation bug in the realpath() function
        has been fixed. [CVE-2018-1000001, bsc#1074293]
    
      - A memory leak and a buffer overflow in the dynamic ELF
        loader has been fixed. [CVE-2017-1000408,
        CVE-2017-1000409, bsc#1071319]
    
      - An issue in the code handling RPATHs was fixed that
        could have been exploited by an attacker to execute code
        loaded from arbitrary libraries. [CVE-2017-16997,
        bsc#1073231]
    
      - A potential crash caused by a use-after-free bug in
        pthread_create() has been fixed. [bsc#1053188]
    
      - A bug that prevented users to build shared objects which
        use the optimized libmvec.so API has been fixed.
        [bsc#1070905]
    
      - A memory leak in the glob() function has been fixed.
        [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804,
        bsc#1064569, bsc#1064580, bsc#1064583]
    
      - A bug that would lose the syscall error code value in
        case of crashes has been fixed. [bsc#1063675]
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1051042"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1053188"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1063675"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1064569"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1064580"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1064583"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1070905"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1071319"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1073231"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1074293"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-1000408/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-1000409/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-15670/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-15671/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-15804/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16997/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1000001/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20180074-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?81ff229a"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t
    patch SUSE-SLE-SDK-12-SP3-2018-55=1
    
    SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t
    patch SUSE-SLE-SDK-12-SP2-2018-55=1
    
    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
    patch SUSE-SLE-RPI-12-SP2-2018-55=1
    
    SUSE Linux Enterprise Server 12-SP3:zypper in -t patch
    SUSE-SLE-SERVER-12-SP3-2018-55=1
    
    SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2018-55=1
    
    SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP3-2018-55=1
    
    SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP2-2018-55=1
    
    SUSE CaaS Platform ALL:zypper in -t patch SUSE-CAASP-ALL-2018-55=1
    
    OpenStack Cloud Magnum Orchestration 7:zypper in -t patch
    SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-55=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-devel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-locale");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-locale-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-profile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nscd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nscd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/01/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(2|3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2/3", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(2|3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP2/3", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"3", reference:"glibc-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"glibc-debuginfo-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"glibc-debugsource-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"glibc-devel-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"glibc-devel-debuginfo-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"glibc-locale-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"glibc-locale-debuginfo-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"glibc-profile-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"nscd-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"nscd-debuginfo-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"glibc-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"glibc-debuginfo-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"glibc-devel-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"glibc-devel-debuginfo-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"glibc-locale-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"glibc-locale-debuginfo-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"glibc-profile-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"glibc-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"glibc-debuginfo-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"glibc-debugsource-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"glibc-devel-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"glibc-devel-debuginfo-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"glibc-locale-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"glibc-locale-debuginfo-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"glibc-profile-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"nscd-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"nscd-debuginfo-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"glibc-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"glibc-debuginfo-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"glibc-devel-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"glibc-devel-debuginfo-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"glibc-locale-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"glibc-locale-debuginfo-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"glibc-profile-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"glibc-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"glibc-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"glibc-debuginfo-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"glibc-debuginfo-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"glibc-debugsource-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"glibc-devel-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"glibc-devel-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"glibc-devel-debuginfo-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"glibc-devel-debuginfo-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"glibc-locale-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"glibc-locale-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"glibc-locale-debuginfo-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"glibc-locale-debuginfo-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"nscd-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"nscd-debuginfo-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"glibc-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"glibc-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"glibc-debuginfo-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"glibc-debuginfo-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"glibc-debugsource-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"glibc-devel-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"glibc-devel-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"glibc-devel-debuginfo-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"glibc-devel-debuginfo-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"glibc-locale-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"glibc-locale-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"glibc-locale-debuginfo-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"glibc-locale-debuginfo-32bit-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"nscd-2.22-62.3.4")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"nscd-debuginfo-2.22-62.3.4")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3534-1.NASL
    descriptionIt was discovered that the GNU C library did not properly handle all of the possible return values from the kernel getcwd(2) syscall. A local attacker could potentially exploit this to execute arbitrary code in setuid programs and gain administrative privileges. (CVE-2018-1000001) A memory leak was discovered in the _dl_init_paths() function in the GNU C library dynamic loader. A local attacker could potentially exploit this with a specially crafted value in the LD_HWCAP_MASK environment variable, in combination with CVE-2017-1000409 and another vulnerability on a system with hardlink protections disabled, in order to gain administrative privileges. (CVE-2017-1000408) A heap-based buffer overflow was discovered in the _dl_init_paths() function in the GNU C library dynamic loader. A local attacker could potentially exploit this with a specially crafted value in the LD_LIBRARY_PATH environment variable, in combination with CVE-2017-1000408 and another vulnerability on a system with hardlink protections disabled, in order to gain administrative privileges. (CVE-2017-1000409) An off-by-one error leading to a heap-based buffer overflow was discovered in the GNU C library glob() implementation. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code via a maliciously crafted pattern. (CVE-2017-15670) A heap-based buffer overflow was discovered during unescaping of user names with the ~ operator in the GNU C library glob() implementation. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code via a maliciously crafted pattern. (CVE-2017-15804) It was discovered that the GNU C library dynamic loader mishandles RPATH and RUNPATH containing $ORIGIN for privileged (setuid or AT_SECURE) programs. A local attacker could potentially exploit this by providing a specially crafted library in the current working directory in order to gain administrative privileges. (CVE-2017-16997) It was discovered that the GNU C library malloc() implementation could return a memory block that is too small if an attempt is made to allocate an object whose size is close to SIZE_MAX, resulting in a heap-based overflow. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 17.10. (CVE-2017-17426). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106134
    published2018-01-18
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106134
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.10 : eglibc, glibc vulnerabilities (USN-3534-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3534-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106134);
      script_version("3.8");
      script_cvs_date("Date: 2019/09/18 12:31:47");
    
      script_cve_id("CVE-2017-1000408", "CVE-2017-1000409", "CVE-2017-15670", "CVE-2017-15804", "CVE-2017-16997", "CVE-2017-17426", "CVE-2018-1000001");
      script_xref(name:"USN", value:"3534-1");
    
      script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : eglibc, glibc vulnerabilities (USN-3534-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the GNU C library did not properly handle all
    of the possible return values from the kernel getcwd(2) syscall. A
    local attacker could potentially exploit this to execute arbitrary
    code in setuid programs and gain administrative privileges.
    (CVE-2018-1000001)
    
    A memory leak was discovered in the _dl_init_paths() function in the
    GNU C library dynamic loader. A local attacker could potentially
    exploit this with a specially crafted value in the LD_HWCAP_MASK
    environment variable, in combination with CVE-2017-1000409 and another
    vulnerability on a system with hardlink protections disabled, in order
    to gain administrative privileges. (CVE-2017-1000408)
    
    A heap-based buffer overflow was discovered in the _dl_init_paths()
    function in the GNU C library dynamic loader. A local attacker could
    potentially exploit this with a specially crafted value in the
    LD_LIBRARY_PATH environment variable, in combination with
    CVE-2017-1000408 and another vulnerability on a system with hardlink
    protections disabled, in order to gain administrative privileges.
    (CVE-2017-1000409)
    
    An off-by-one error leading to a heap-based buffer overflow was
    discovered in the GNU C library glob() implementation. An attacker
    could potentially exploit this to cause a denial of service or execute
    arbitrary code via a maliciously crafted pattern. (CVE-2017-15670)
    
    A heap-based buffer overflow was discovered during unescaping of user
    names with the ~ operator in the GNU C library glob() implementation.
    An attacker could potentially exploit this to cause a denial of
    service or execute arbitrary code via a maliciously crafted pattern.
    (CVE-2017-15804)
    
    It was discovered that the GNU C library dynamic loader mishandles
    RPATH and RUNPATH containing $ORIGIN for privileged (setuid or
    AT_SECURE) programs. A local attacker could potentially exploit this
    by providing a specially crafted library in the current working
    directory in order to gain administrative privileges. (CVE-2017-16997)
    
    It was discovered that the GNU C library malloc() implementation could
    return a memory block that is too small if an attempt is made to
    allocate an object whose size is close to SIZE_MAX, resulting in a
    heap-based overflow. An attacker could potentially exploit this to
    cause a denial of service or execute arbitrary code. This issue only
    affected Ubuntu 17.10. (CVE-2017-17426).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3534-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected libc6 package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libc6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/01/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/18");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|16\.04|17\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 17.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"libc6", pkgver:"2.19-0ubuntu6.14")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"libc6", pkgver:"2.23-0ubuntu10")) flag++;
    if (ubuntu_check(osver:"17.10", pkgname:"libc6", pkgver:"2.26-0ubuntu2.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libc6");
    }
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/145391/QSA-20171211.txt
idPACKETSTORM:145391
last seen2017-12-13
published2017-12-13
reporterQualys Security Advisory
sourcehttps://packetstormsecurity.com/files/145391/Qualys-Security-Advisory-GNU-C-Library-Memory-Leak-Buffer-Overflow.html
titleQualys Security Advisory - GNU C Library Memory Leak / Buffer Overflow