Vulnerabilities > CVE-2017-17459 - Unspecified vulnerability in Fossil SCM Fossil
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201801-20.NASL description The remote host is affected by the vulnerability described in GLSA-201801-20 (Fossil: User-assisted execution of arbitrary code) Fossil does not properly validate SSH sync protocol URLs. Impact : A remote attacker, by enticing a user to open a specially crafted URL, could possibly execute arbitrary commands with the privileges of the user running the application. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 106429 published 2018-01-29 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106429 title GLSA-201801-20 : Fossil: User-assisted execution of arbitrary code code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201801-20. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(106429); script_version("1.2"); script_cvs_date("Date: 2018/06/07 13:15:38"); script_cve_id("CVE-2017-17459"); script_xref(name:"GLSA", value:"201801-20"); script_name(english:"GLSA-201801-20 : Fossil: User-assisted execution of arbitrary code"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201801-20 (Fossil: User-assisted execution of arbitrary code) Fossil does not properly validate SSH sync protocol URLs. Impact : A remote attacker, by enticing a user to open a specially crafted URL, could possibly execute arbitrary commands with the privileges of the user running the application. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201801-20" ); script_set_attribute( attribute:"solution", value: "All Fossil users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-vcs/fossil-2.4'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:fossil"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-vcs/fossil", unaffected:make_list("ge 2.4"), vulnerable:make_list("lt 2.4"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Fossil"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2019-F350634B40.NASL description - Update to 2.8 fixes rhbz#1581180 rhbz#1603993 rhbz#1674893 and rhbz#1524335 - Removed upstreamed patch - Bug 1524335 - CVE-2017-17459 fossil: Command injection via malicious ssh URLs [fedora-all] - Bug 1581180 - Update fossil version to 2.6 (currently is 2.2) - Bug 1603993 - fossil: FTBFS in Fedora rawhide - Bug 1674893 - fossil: FTBFS in Fedora rawhide/f30 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 126665 published 2019-07-15 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126665 title Fedora 30 : fossil (2019-f350634b40) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-f350634b40. # include("compat.inc"); if (description) { script_id(126665); script_version("1.3"); script_cvs_date("Date: 2020/01/08"); script_cve_id("CVE-2017-17459"); script_xref(name:"FEDORA", value:"2019-f350634b40"); script_name(english:"Fedora 30 : fossil (2019-f350634b40)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Update to 2.8 fixes rhbz#1581180 rhbz#1603993 rhbz#1674893 and rhbz#1524335 - Removed upstreamed patch - Bug 1524335 - CVE-2017-17459 fossil: Command injection via malicious ssh URLs [fedora-all] - Bug 1581180 - Update fossil version to 2.6 (currently is 2.2) - Bug 1603993 - fossil: FTBFS in Fedora rawhide - Bug 1674893 - fossil: FTBFS in Fedora rawhide/f30 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-f350634b40" ); script_set_attribute( attribute:"solution", value:"Update the affected fossil package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:fossil"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/07"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC30", reference:"fossil-2.8-1.fc30")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "fossil"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1365.NASL description This update for fossil to version 2.4 fixes the following issues : - CVE-2017-17459: Client-side code execution via crafted last seen 2020-06-05 modified 2017-12-14 plugin id 105245 published 2017-12-14 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/105245 title openSUSE Security Update : fossil (openSUSE-2017-1365)
References
- https://bugzilla.opensuse.org/show_bug.cgi?id=1071709
- https://bugzilla.opensuse.org/show_bug.cgi?id=1071709
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BLAFCQGE7C5UMX75LESNUMKTXTURUVQM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BLAFCQGE7C5UMX75LESNUMKTXTURUVQM/
- https://www.fossil-scm.org/xfer/doc/trunk/www/changes.wiki#v2_4
- https://www.fossil-scm.org/xfer/doc/trunk/www/changes.wiki#v2_4
- https://www.fossil-scm.org/xfer/info/1f63db591c77108c
- https://www.fossil-scm.org/xfer/info/1f63db591c77108c