Vulnerabilities > CVE-2017-7480 - Channel and Path Errors vulnerability in Rootkit Hunter Project Rootkit Hunter

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
rootkit-hunter-project
CWE-417
critical
nessus
NVD
Published: 2017-07-21
Updated: 2020-09-09

Summary

rkhunter versions before 1.4.4 are vulnerable to file download over insecure channel when doing mirror update resulting into potential remote code execution.

Vulnerable Configurations

Part Description Count
Application
Rootkit_Hunter_Project
41

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201805-11.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201805-11 (Rootkit Hunter: User-assisted execution of arbitrary code) A vulnerability was discovered in Rootkit Hunter that allows the downloading of mirror updates over insecure channels (HTTP). Furthermore, the mirror update is then executed in Bash. Impact : A remote attacker, by performing a man-in-the-middle attack, could execute arbitrary code, conduct a Denial of Service, or have other unspecified impacts. Workaround : Users are advised to not trust insecure protocols such as HTTP and to turn off any mirror updates utilizing such channels.
    last seen2020-06-01
    modified2020-06-02
    plugin id110175
    published2018-05-29
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/110175
    titleGLSA-201805-11 : Rootkit Hunter: User-assisted execution of arbitrary code
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 201805-11.
#
# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(110175);
  script_version("1.2");
  script_cvs_date("Date: 2018/06/07 13:15:38");

  script_cve_id("CVE-2017-7480");
  script_xref(name:"GLSA", value:"201805-11");

  script_name(english:"GLSA-201805-11 : Rootkit Hunter: User-assisted execution of arbitrary code");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-201805-11
(Rootkit Hunter: User-assisted execution of arbitrary code)

    A vulnerability was discovered in Rootkit Hunter that allows the
      downloading of mirror updates over insecure channels (HTTP).
      Furthermore, the mirror update is then executed in Bash.
  
Impact :

    A remote attacker, by performing a man-in-the-middle attack, could
      execute arbitrary code, conduct a Denial of Service, or have other
      unspecified impacts.
  
Workaround :

    Users are advised to not trust insecure protocols such as HTTP and to
      turn off any mirror updates utilizing such channels."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/201805-11"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All Rootkit Hunter users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=app-forensics/rkhunter-1.4.6'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:rkhunter");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/05/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/29");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"app-forensics/rkhunter", unaffected:make_list("ge 1.4.6"), vulnerable:make_list("lt 1.4.6"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Rootkit Hunter");
}
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1039.NASL
    descriptionCVE-2017-7480 The original patch introduces new regex to better check for allowed download URLs. Other versions of the package in Jessie, Stretch and Sid don
    last seen2020-03-17
    modified2017-07-26
    plugin id101960
    published2017-07-26
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101960
    titleDebian DLA-1039-1 : rkhunter security update
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-1039-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(101960);
  script_version("3.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2017-7480");

  script_name(english:"Debian DLA-1039-1 : rkhunter security update");
  script_summary(english:"Checks dpkg output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"CVE-2017-7480 The original patch introduces new regex to better check
for allowed download URLs. Other versions of the package in Jessie,
Stretch and Sid don't apply that patch but just disable the download
of everything by default via rkhunter.conf. In order to make this
version consistent with all the other distributions and don't break
existing installations, this will be done in Wheezy as well.

For Debian 7 'Wheezy', these problems have been fixed in version
1.4.0-1+deb7u1.

We recommend that you upgrade your rkhunter packages.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2017/07/msg00032.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/wheezy/rkhunter"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Upgrade the affected rkhunter package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:rkhunter");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/07/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/26");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"rkhunter", reference:"1.4.0-1+deb7u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

References