Vulnerabilities > CVE-2017-11605 - Out-of-bounds Read vulnerability in Libsass 3.4.5

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
libsass
CWE-125
nessus

Summary

There is a heap based buffer over-read in LibSass 3.4.5, related to address 0xb4803ea1. A crafted input will lead to a remote denial of service attack.

Vulnerable Configurations

Part Description Count
Application
Libsass
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

NASL familySuSE Local Security Checks
NASL idOPENSUSE-2017-1250.NASL
descriptionThis update for libsass fixes the following DoS vulnerabilities : - CVE-2017-11554: Stack consumption vulnerability allowed remote DoS via crafted input (1050148) - CVE-2017-11555: Illegal address access in Eval::operator allowed remote DoS via crafted input (boo#1050149) - CVE-2017-11556: Stack consumption vulnerability allowed remote DoS via crafted input (boo#1050150) - CVE-2017-11605: Heap based buffer over-read allowed remote DoS via crafted input (boo#1050151) - CVE-2017-11608: Heap-based buffer over-read allowed remote DoS via crafted input (boo#1050380)
last seen2020-06-05
modified2017-11-07
plugin id104425
published2017-11-07
reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/104425
titleopenSUSE Security Update : libsass (openSUSE-2017-1250)
code
#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2017-1250.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(104425);
  script_version("3.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2017-11554", "CVE-2017-11555", "CVE-2017-11556", "CVE-2017-11605", "CVE-2017-11608");

  script_name(english:"openSUSE Security Update : libsass (openSUSE-2017-1250)");
  script_summary(english:"Check for the openSUSE-2017-1250 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for libsass fixes the following DoS vulnerabilities :

  - CVE-2017-11554: Stack consumption vulnerability allowed
    remote DoS via crafted input (1050148)

  - CVE-2017-11555: Illegal address access in Eval::operator
    allowed remote DoS via crafted input (boo#1050149)

  - CVE-2017-11556: Stack consumption vulnerability allowed
    remote DoS via crafted input (boo#1050150)

  - CVE-2017-11605: Heap based buffer over-read allowed
    remote DoS via crafted input (boo#1050151)

  - CVE-2017-11608: Heap-based buffer over-read allowed
    remote DoS via crafted input (boo#1050380)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050148"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050149"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050150"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050151"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050380"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected libsass packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsass-3_3_2-0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsass-3_3_2-0-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsass-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsass-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/11/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/07");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE42.2", reference:"libsass-3_3_2-0-3.3.2-2.3.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"libsass-3_3_2-0-debuginfo-3.3.2-2.3.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"libsass-debugsource-3.3.2-2.3.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"libsass-devel-3.3.2-2.3.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"libsass-3_3_2-0-3.3.2-5.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"libsass-3_3_2-0-debuginfo-3.3.2-5.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"libsass-debugsource-3.3.2-5.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"libsass-devel-3.3.2-5.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libsass-3_3_2-0 / libsass-3_3_2-0-debuginfo / libsass-debugsource / etc");
}