Vulnerabilities > CVE-2018-1000001 - Out-of-bounds Write vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description glibc - 'getcwd()' Local Privilege Escalation. CVE-2018-1000001. Local exploit for Linux platform file exploits/linux/local/43775.c id EDB-ID:43775 last seen 2018-01-24 modified 2018-01-16 platform linux port published 2018-01-16 reporter Exploit-DB source https://www.exploit-db.com/download/43775/ title glibc - 'getcwd()' Local Privilege Escalation type local description glibc - 'realpath()' Privilege Escalation (Metasploit). CVE-2018-1000001. Local exploit for Linux platform. Tags: Metasploit Framework (MSF), Local file exploits/linux/local/44889.rb id EDB-ID:44889 last seen 2018-06-13 modified 2018-06-13 platform linux port published 2018-06-13 reporter Exploit-DB source https://www.exploit-db.com/download/44889/ title glibc - 'realpath()' Privilege Escalation (Metasploit) type local
Metasploit
description | This module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 2.26 and prior. This module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath() and create a SUID root shell. The exploit has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1. The target system must have unprivileged user namespaces enabled. This module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64) with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc version 2.24-11+deb9u1. |
id | MSF:EXPLOIT/LINUX/LOCAL/GLIBC_REALPATH_PRIV_ESC |
last seen | 2020-06-14 |
modified | 2019-01-10 |
published | 2018-05-26 |
references |
|
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/glibc_realpath_priv_esc.rb |
title | glibc 'realpath()' Privilege Escalation |
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20180410_GLIBC_ON_SL7_X.NASL description Security Fix(es) : - glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation (CVE-2018-1000001) - glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) - glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) - glibc: denial of service in getnetbyname function (CVE-2014-9402) - glibc: DNS resolver NULL pointer dereference with crafted record type (CVE-2015-5180) - glibc: Fragmentation attacks possible when EDNS0 is enabled (CVE-2017-12132) Additional Changes : last seen 2020-03-18 modified 2018-05-01 plugin id 109447 published 2018-05-01 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109447 title Scientific Linux Security Update : glibc on SL7.x x86_64 (20180410) code # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(109447); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/24"); script_cve_id("CVE-2014-9402", "CVE-2015-5180", "CVE-2017-12132", "CVE-2017-15670", "CVE-2017-15804", "CVE-2018-1000001"); script_name(english:"Scientific Linux Security Update : glibc on SL7.x x86_64 (20180410)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Security Fix(es) : - glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation (CVE-2018-1000001) - glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) - glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) - glibc: denial of service in getnetbyname function (CVE-2014-9402) - glibc: DNS resolver NULL pointer dereference with crafted record type (CVE-2015-5180) - glibc: Fragmentation attacks possible when EDNS0 is enabled (CVE-2017-12132) Additional Changes :" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1804&L=scientific-linux-errata&F=&S=&P=7441 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?262112fc" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-static"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nscd"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/24"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-common-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-debuginfo-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-debuginfo-common-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-devel-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-headers-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-static-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-utils-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nscd-2.17-222.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0076-1.NASL description This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A buffer manipulation vulnerability in nscd has been fixed that could possibly have lead to an nscd daemon crash or code execution as the user running nscd. [CVE-2014-9984, bsc#1043984] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106046 published 2018-01-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106046 title SUSE SLES12 Security Update : glibc (SUSE-SU-2018:0076-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:0076-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(106046); script_version("1.8"); script_cvs_date("Date: 2019/09/10 13:51:46"); script_cve_id("CVE-2014-9984", "CVE-2018-1000001"); script_name(english:"SUSE SLES12 Security Update : glibc (SUSE-SU-2018:0076-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A buffer manipulation vulnerability in nscd has been fixed that could possibly have lead to an nscd daemon crash or code execution as the user running nscd. [CVE-2014-9984, bsc#1043984] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1043984" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1074293" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-9984/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1000001/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20180076-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9b2a8e7b" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-2018-54=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-devel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-locale"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-locale-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-profile"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nscd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nscd-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/12"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-debuginfo-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-debugsource-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-devel-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-devel-debuginfo-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-locale-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-locale-debuginfo-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-profile-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"nscd-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"nscd-debuginfo-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-32bit-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-debuginfo-32bit-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-devel-32bit-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-devel-debuginfo-32bit-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-locale-32bit-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-locale-debuginfo-32bit-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-profile-32bit-2.19-22.24.5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2018-7714B514E2.NASL description This update addresses two security vulnerabilities : - CVE-2017-16997: Check for empty tokens before dynamic string token expansion in the dynamic linker, so that pre-existing privileged programs with `$ORIGIN` rpaths/runpaths do not cause the dynamic linker to search the current directory, potentially leading to privilege escalation. (RHBZ#1526866). - CVE-2018-1000001: `getcwd` would sometimes return a non-absolute path, confusing the `realpath` function, leading to privilege escalation in conjunction with user namespaces. (RHBZ#1533837) In addition, this update changes the thread stack size accounting to provide additional stack space compared to previous glibc versions. For some applications (`nptd` in particular), the `PTHREAD_STACK_MIN` stack size was too small on x86-64 machines with AVX-512 support (RHBZ#1527887). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-01-24 plugin id 106279 published 2018-01-24 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106279 title Fedora 27 : glibc (2018-7714b514e2) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2018-7714b514e2. # include("compat.inc"); if (description) { script_id(106279); script_version("3.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-16997", "CVE-2018-1000001"); script_xref(name:"FEDORA", value:"2018-7714b514e2"); script_name(english:"Fedora 27 : glibc (2018-7714b514e2)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update addresses two security vulnerabilities : - CVE-2017-16997: Check for empty tokens before dynamic string token expansion in the dynamic linker, so that pre-existing privileged programs with `$ORIGIN` rpaths/runpaths do not cause the dynamic linker to search the current directory, potentially leading to privilege escalation. (RHBZ#1526866). - CVE-2018-1000001: `getcwd` would sometimes return a non-absolute path, confusing the `realpath` function, leading to privilege escalation in conjunction with user namespaces. (RHBZ#1533837) In addition, this update changes the thread stack size accounting to provide additional stack space compared to previous glibc versions. For some applications (`nptd` in particular), the `PTHREAD_STACK_MIN` stack size was too small on x86-64 machines with AVX-512 support (RHBZ#1527887). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-7714b514e2" ); script_set_attribute(attribute:"solution", value:"Update the affected glibc package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:glibc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/18"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC27", reference:"glibc-2.26-24.fc27")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc"); }
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1048.NASL description According to the version of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.(CVE-2018-1000001) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-02-13 plugin id 106776 published 2018-02-13 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106776 title EulerOS 2.0 SP2 : glibc (EulerOS-SA-2018-1048) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(106776); script_version("3.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2018-1000001" ); script_name(english:"EulerOS 2.0 SP2 : glibc (EulerOS-SA-2018-1048)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.(CVE-2018-1000001) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1048 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1343aba6"); script_set_attribute(attribute:"solution", value: "Update the affected glibc package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2018/02/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-static"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:nscd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["glibc-2.17-111.h27", "glibc-common-2.17-111.h27", "glibc-devel-2.17-111.h27", "glibc-headers-2.17-111.h27", "glibc-static-2.17-111.h27", "glibc-utils-2.17-111.h27", "nscd-2.17-111.h27"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-30.NASL description This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2018-01-16 plugin id 106059 published 2018-01-16 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106059 title openSUSE Security Update : glibc (openSUSE-2018-30) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-30. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(106059); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-1000408", "CVE-2017-1000409", "CVE-2017-15670", "CVE-2017-15671", "CVE-2017-15804", "CVE-2017-16997", "CVE-2018-1000001"); script_name(english:"openSUSE Security Update : glibc (openSUSE-2018-30)"); script_summary(english:"Check for the openSUSE-2018-30 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] This update was imported from the SUSE:SLE-12-SP2:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1051042" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1053188" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1063675" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1064569" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1064580" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1064583" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1070905" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1071319" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1073231" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1074293" ); script_set_attribute( attribute:"solution", value:"Update the affected glibc packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-static"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-static-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-extra"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-extra-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-html"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-i18ndata"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-info"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-obsolete"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-obsolete-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-profile"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-profile-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-utils-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-utils-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-utils-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-utils-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nscd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nscd-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"glibc-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-debuginfo-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-debugsource-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-devel-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-devel-debuginfo-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-devel-static-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-extra-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-extra-debuginfo-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-html-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-i18ndata-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-info-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-locale-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-locale-debuginfo-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-obsolete-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-obsolete-debuginfo-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-profile-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-utils-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-utils-debuginfo-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-utils-debugsource-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"nscd-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"nscd-debuginfo-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"glibc-utils-32bit-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"glibc-utils-debuginfo-32bit-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-debuginfo-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-debugsource-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-devel-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-devel-debuginfo-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-devel-static-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-extra-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-extra-debuginfo-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-html-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-i18ndata-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-info-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-locale-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-locale-debuginfo-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-obsolete-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-obsolete-debuginfo-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-profile-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-utils-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-utils-debuginfo-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-utils-debugsource-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"nscd-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"nscd-debuginfo-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-debuginfo-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-devel-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-devel-debuginfo-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-devel-static-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-locale-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-locale-debuginfo-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-profile-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-utils-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-utils-debuginfo-32bit-2.22-10.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc-utils / glibc-utils-32bit / glibc-utils-debuginfo / etc"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0565-1.NASL description This update for glibc fixes the following issues: Security issues : - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area in realpath (bsc#1074293) Also a non security issue was fixed : - Do not fail if one of the two responses to AF_UNSPEC fails (bsc#978209) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 107086 published 2018-03-01 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107086 title SUSE SLES11 Security Update : glibc (SUSE-SU-2018:0565-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:0565-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(107086); script_version("3.5"); script_cvs_date("Date: 2019/09/10 13:51:47"); script_cve_id("CVE-2017-12132", "CVE-2017-8804", "CVE-2018-1000001", "CVE-2018-6485", "CVE-2018-6551"); script_name(english:"SUSE SLES11 Security Update : glibc (SUSE-SU-2018:0565-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for glibc fixes the following issues: Security issues : - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area in realpath (bsc#1074293) Also a non security issue was fixed : - Do not fail if one of the two responses to AF_UNSPEC fails (bsc#978209) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1037930" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1051791" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1074293" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1079036" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=978209" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-12132/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-8804/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1000001/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-6485/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-6551/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20180565-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?071614de" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t patch sdksp4-glibc-13494=1 SUSE Linux Enterprise Server 11-SP4:zypper in -t patch slessp4-glibc-13494=1 SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch slessp3-glibc-13494=1 SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch sleposp3-glibc-13494=1 SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch dbgsp4-glibc-13494=1 SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch dbgsp3-glibc-13494=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-html"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-i18ndata"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-info"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-locale"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-profile"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nscd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/07"); script_set_attribute(attribute:"patch_publication_date", value:"2018/02/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(3|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3/4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"glibc-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"glibc-devel-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"glibc-locale-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"glibc-profile-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"glibc-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"glibc-devel-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"glibc-locale-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"glibc-profile-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"glibc-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"glibc-devel-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"glibc-html-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"glibc-i18ndata-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"glibc-info-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"glibc-locale-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"glibc-profile-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"nscd-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"glibc-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"glibc-devel-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"glibc-locale-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"glibc-profile-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"glibc-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"glibc-devel-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"glibc-locale-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"glibc-profile-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"glibc-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"glibc-devel-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"glibc-html-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"glibc-i18ndata-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"glibc-info-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"glibc-locale-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"glibc-profile-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"nscd-2.11.3-17.110.6.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc"); }
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-0805.NASL description From Red Hat Security Advisory 2018:0805 : An update for glibc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es) : * glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation (CVE-2018-1000001) * glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) * glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) * glibc: denial of service in getnetbyname function (CVE-2014-9402) * glibc: DNS resolver NULL pointer dereference with crafted record type (CVE-2015-5180) * glibc: Fragmentation attacks possible when EDNS0 is enabled (CVE-2017-12132) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank halfdog for reporting CVE-2018-1000001. The CVE-2015-5180 issue was discovered by Florian Weimer (Red Hat Product Security). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 109105 published 2018-04-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109105 title Oracle Linux 7 : glibc (ELSA-2018-0805) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:0805 and # Oracle Linux Security Advisory ELSA-2018-0805 respectively. # include("compat.inc"); if (description) { script_id(109105); script_version("1.4"); script_cvs_date("Date: 2019/09/27 13:00:38"); script_cve_id("CVE-2014-9402", "CVE-2015-5180", "CVE-2017-12132", "CVE-2017-15670", "CVE-2017-15804", "CVE-2018-1000001"); script_xref(name:"RHSA", value:"2018:0805"); script_name(english:"Oracle Linux 7 : glibc (ELSA-2018-0805)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2018:0805 : An update for glibc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es) : * glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation (CVE-2018-1000001) * glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) * glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) * glibc: denial of service in getnetbyname function (CVE-2014-9402) * glibc: DNS resolver NULL pointer dereference with crafted record type (CVE-2015-5180) * glibc: Fragmentation attacks possible when EDNS0 is enabled (CVE-2017-12132) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank halfdog for reporting CVE-2018-1000001. The CVE-2015-5180 issue was discovered by Florian Weimer (Red Hat Product Security). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2018-April/007611.html" ); script_set_attribute( attribute:"solution", value:"Update the affected glibc packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-static"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nscd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/24"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"glibc-2.17-222.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"glibc-common-2.17-222.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"glibc-devel-2.17-222.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"glibc-headers-2.17-222.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"glibc-static-2.17-222.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"glibc-utils-2.17-222.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"nscd-2.17-222.el7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc / glibc-common / glibc-devel / glibc-headers / glibc-static / etc"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2018-8E27AD96ED.NASL description This update addresses two security vulnerabilities : - CVE-2017-15670, CVE-2017-15671, CVE-2017-15804: Various vulnerabilities could lead to memory corruption in the `glob` and `glob64` function. (RHBZ#1505298, RHBZ##1504807) - CVE-2017-16997: Check for empty tokens before dynamic string token expansion in the dynamic linker, so that pre-existing privileged programs with `$ORIGIN` rpaths/runpaths do not cause the dynamic linker to search the current directory, potentially leading to privilege escalation. (RHBZ#1526866). - CVE-2018-1000001: `getcwd` would sometimes return a non-absolute path, confusing the `realpath` function, leading to privilege escalation in conjunction with user namespaces. (RHBZ#1533837) In addition, this update replaces the dynamic linker trampoline on x86-64 with a version which uses the `XSAVE` instruction if it is available. This improves compatibility with future hardware and compilers which do not follow the x86-64 ABI. This update also adjusts the thread stack size accounting to provide additional stack space compared to previous glibc versions (to avoid introducing RHBZ#1527887). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-01-24 plugin id 106281 published 2018-01-24 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106281 title Fedora 26 : glibc (2018-8e27ad96ed) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0111_GLIBC.NASL description An update of the glibc package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121812 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121812 title Photon OS 1.0: Glibc PHSA-2018-1.0-0111 NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1047.NASL description According to the version of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.(CVE-2018-1000001) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-02-13 plugin id 106775 published 2018-02-13 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106775 title EulerOS 2.0 SP1 : glibc (EulerOS-SA-2018-1047) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1239.NASL description According to the version of the glibc packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.(CVE-2018-1000001) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 117548 published 2018-09-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117548 title EulerOS Virtualization 2.5.0 : glibc (EulerOS-SA-2018-1239) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2018-0805.NASL description An update for glibc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es) : * glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation (CVE-2018-1000001) * glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) * glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) * glibc: denial of service in getnetbyname function (CVE-2014-9402) * glibc: DNS resolver NULL pointer dereference with crafted record type (CVE-2015-5180) * glibc: Fragmentation attacks possible when EDNS0 is enabled (CVE-2017-12132) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank halfdog for reporting CVE-2018-1000001. The CVE-2015-5180 issue was discovered by Florian Weimer (Red Hat Product Security). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 109371 published 2018-04-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109371 title CentOS 7 : glibc (CESA-2018:0805) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0451-1.NASL description This update for glibc fixes the following issues: Security issues fixed : - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed : - Release read lock after resetting timeout (bsc#1073990) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106865 published 2018-02-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106865 title SUSE SLED12 / SLES12 Security Update : glibc (SUSE-SU-2018:0451-1) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0111.NASL description An update of 'glibc' packages of Photon OS has been released. last seen 2019-02-08 modified 2019-02-07 plugin id 111921 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111921 title Photon OS 1.0: Glibc PHSA-2018-1.0-0111 (deprecated) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0018_GLIBC.NASL description An update of the glibc package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121923 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121923 title Photon OS 2.0: Glibc PHSA-2018-2.0-0018 NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0018.NASL description An update of {'glibc'} packages of Photon OS has been released. last seen 2019-02-08 modified 2019-02-07 plugin id 111288 published 2018-07-24 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111288 title Photon OS 2.0 : glibc (PhotonOS-PHSA-2018-2.0-0018) (deprecated) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0805.NASL description An update for glibc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es) : * glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation (CVE-2018-1000001) * glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) * glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) * glibc: denial of service in getnetbyname function (CVE-2014-9402) * glibc: DNS resolver NULL pointer dereference with crafted record type (CVE-2015-5180) * glibc: Fragmentation attacks possible when EDNS0 is enabled (CVE-2017-12132) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank halfdog for reporting CVE-2018-1000001. The CVE-2015-5180 issue was discovered by Florian Weimer (Red Hat Product Security). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 108985 published 2018-04-11 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108985 title RHEL 7 : glibc (RHSA-2018:0805) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201804-02.NASL description The remote host is affected by the vulnerability described in GLSA-201804-02 (glibc: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in glibc. Please review the CVE identifiers referenced below for details. Impact : An attacker could possibly execute arbitrary code, escalate privileges, cause a Denial of Service condition, or have other unspecified impacts. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 108822 published 2018-04-04 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108822 title GLSA-201804-02 : glibc: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2187-1.NASL description This update for glibc fixes the following issues: Security issues fixed : - CVE-2017-15804: Fix buffer overflow during unescaping of user names in the glob function in glob.c (bsc#1064580). - CVE-2017-15670: Fix buffer overflow in glob with GLOB_TILDE (bsc#1064583). - CVE-2017-15671: Fix memory leak in glob with GLOB_TILDE (bsc#1064569). - CVE-2018-11236: Fix 32bit arch integer overflow in stdlib/canonicalize.c when processing very long pathname arguments (bsc#1094161). - CVE-2017-12132: Reduce advertised EDNS0 buffer size to guard against fragmentation attacks (bsc#1051791). - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111547 published 2018-08-06 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111547 title SUSE SLES12 Security Update : glibc (SUSE-SU-2018:2187-1) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-1017.NASL description Fragmentation attacks possible when EDNS0 is enabled The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.(CVE-2017-12132) Buffer overflow in glob with GLOB_TILDE The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.(CVE-2017-15670) Denial of service in getnetbyname function The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.(CVE-2014-9402) DNS resolver NULL pointer dereference with crafted record type res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).(CVE-2015-5180) realpath() buffer underflow when getcwd() returns relative path allows privilege escalation In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.(CVE-2018-1000001) Buffer overflow during unescaping of user names with the ~ operator The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.(CVE-2017-15804) last seen 2020-06-01 modified 2020-06-02 plugin id 109699 published 2018-05-11 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109699 title Amazon Linux AMI : glibc (ALAS-2018-1017) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0075-1.NASL description This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106045 published 2018-01-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106045 title SUSE SLES11 Security Update : glibc (SUSE-SU-2018:0075-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0071-1.NASL description This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106041 published 2018-01-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106041 title SUSE SLES12 Security Update : glibc (SUSE-SU-2018:0071-1) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0024_GLIBC.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has glibc packages installed that are affected by multiple vulnerabilities: - The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string. (CVE-2017-15670) - The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation. (CVE-2017-12132) - The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator. (CVE-2017-15804) - res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash). (CVE-2015-5180) - The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process. (CVE-2014-9402) - In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution. (CVE-2018-1000001) - Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in the GNU C Library (aka glibc or libc6) allows remote attackers to cause a denial of service (crash) via vectors involving hostent conversion. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4458. (CVE-2016-3706) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127183 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127183 title NewStart CGSL CORE 5.04 / MAIN 5.04 : glibc Multiple Vulnerabilities (NS-SA-2019-0024) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-184.NASL description This update for glibc fixes the following issues : Security issues fixed : - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed : - Release read lock after resetting timeout (bsc#1073990) This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2018-02-21 plugin id 106916 published 2018-02-21 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106916 title openSUSE Security Update : glibc (openSUSE-2018-184) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0074-1.NASL description This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106044 published 2018-01-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106044 title SUSE SLED12 / SLES12 Security Update : glibc (SUSE-SU-2018:0074-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3534-1.NASL description It was discovered that the GNU C library did not properly handle all of the possible return values from the kernel getcwd(2) syscall. A local attacker could potentially exploit this to execute arbitrary code in setuid programs and gain administrative privileges. (CVE-2018-1000001) A memory leak was discovered in the _dl_init_paths() function in the GNU C library dynamic loader. A local attacker could potentially exploit this with a specially crafted value in the LD_HWCAP_MASK environment variable, in combination with CVE-2017-1000409 and another vulnerability on a system with hardlink protections disabled, in order to gain administrative privileges. (CVE-2017-1000408) A heap-based buffer overflow was discovered in the _dl_init_paths() function in the GNU C library dynamic loader. A local attacker could potentially exploit this with a specially crafted value in the LD_LIBRARY_PATH environment variable, in combination with CVE-2017-1000408 and another vulnerability on a system with hardlink protections disabled, in order to gain administrative privileges. (CVE-2017-1000409) An off-by-one error leading to a heap-based buffer overflow was discovered in the GNU C library glob() implementation. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code via a maliciously crafted pattern. (CVE-2017-15670) A heap-based buffer overflow was discovered during unescaping of user names with the ~ operator in the GNU C library glob() implementation. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code via a maliciously crafted pattern. (CVE-2017-15804) It was discovered that the GNU C library dynamic loader mishandles RPATH and RUNPATH containing $ORIGIN for privileged (setuid or AT_SECURE) programs. A local attacker could potentially exploit this by providing a specially crafted library in the current working directory in order to gain administrative privileges. (CVE-2017-16997) It was discovered that the GNU C library malloc() implementation could return a memory block that is too small if an attempt is made to allocate an object whose size is close to SIZE_MAX, resulting in a heap-based overflow. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 17.10. (CVE-2017-17426). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106134 published 2018-01-18 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106134 title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : eglibc, glibc vulnerabilities (USN-3534-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1551.NASL description According to the versions of the glibc packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.(CVE-2018-11236) - An integer overflow vulnerability was found in hcreate() and hcreate_r() functions which could result in an out-of-bounds memory access. This could lead to application crash or, potentially, arbitrary code execution.(CVE-2015-8778) - A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module.(CVE-2015-7547) - A flaw was found in the regular expression matching routines that process multibyte character input. If an application utilized the glibc regular expression matching mechanism, an attacker could provide specially-crafted input that, when processed, would cause the application to crash.(CVE-2013-0242) - A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs running in secure-execution mode and reduces the number of allocations performed by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful exploitation of this issue more difficult.(CVE-2017-1000366) - The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.(CVE-2017-12132) - It was found that the files back end of Name Service Switch (NSS) did not isolate iteration over an entire database from key-based look-up API calls. An application performing look-ups on a database while iterating over it could enter an infinite loop, leading to a denial of service.(CVE-2014-8121) - Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in the GNU C Library (aka glibc or libc6) allows remote attackers to cause a denial of service (crash) via vectors involving hostent conversion. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4458.(CVE-2016-3706) - In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.(CVE-2018-1000001) - Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function.(CVE-2012-4424) - It was found that the dynamic loader did not sanitize the LD_POINTER_GUARD environment variable. An attacker could use this flaw to bypass the pointer guarding protection on set-user-ID or set-group-ID programs to execute arbitrary code with the permissions of the user running the application.(CVE-2015-8777) - The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.(CVE-2017-15804) - res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).(CVE-2015-5180) - pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly check permissions for tty files, which allows local users to change the permission on the files and obtain access to arbitrary pseudo-terminals by leveraging a FUSE file system.(CVE-2013-2207) - A stack overflow flaw was found in glibc last seen 2020-03-17 modified 2019-05-14 plugin id 125004 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125004 title EulerOS Virtualization 3.0.1.0 : glibc (EulerOS-SA-2019-1551)
Packetstorm
data source https://packetstormsecurity.com/files/download/148173/glibc_realpath_priv_esc.rb.txt id PACKETSTORM:148173 last seen 2018-06-13 published 2018-06-12 reporter halfdog source https://packetstormsecurity.com/files/148173/glibc-realpath-Privilege-Escalation.html title glibc 'realpath()' Privilege Escalation data source https://packetstormsecurity.com/files/download/145970/glibcgetcwd-escalate.txt id PACKETSTORM:145970 last seen 2018-01-19 published 2018-01-18 reporter halfdog source https://packetstormsecurity.com/files/145970/glibc-getcwd-Local-Privilege-Escalation.html title glibc getcwd() Local Privilege Escalation
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | ### Introduction The vulnerability described here is caused by Linux kernel behaviour change in the syscall API (returning relative pathnames in getcwd()) and non-defensive function implementation in libc (failing to process that pathname correctly). Other libraries are very likely to be affected as well. On affected systems this vulnerability can be used to gain root privileges via SUID binaries. The return value specification change in getcwd() was introduced in Linux kernel Linux 2.6.36. It has already caused troubles, even in realpath(), but at different location (see bug report) and was not identified as security issue. Linux kernel side: One of the weaknesses of Linux kernel is, that it is not fully POSIX compliant (see Wikipedia POSIX). To allow programmers to produce clean and secure code, meticulous documentation would be needed, especially to write cross-platform software. Changes in specification and documentation after software was already written always pose an extra risk. This is also true for commit vfs: show unreachable paths in getcwd and proc changing the behaviour of getcwd(). The new specification made it finally to the manpages (see getcwd(2)), but at that time glibc was already written. From the somehow contradictory man page: These functions return a null-terminated string containing an _absolute_ pathname that is the current working directory of the calling process. The pathname is returned as the function result and via the argument buf, if present. If the current directory is not below the root directory of the current process (e.g., because the process set a new filesystem root using chroot(2) without changing its current directory into the new root), then, since Linux 2.6.36, the returned path will be prefixed with the string "(unreachable)". Such behavior can also be caused by an unprivileged user by changing the current directory into another mount namespace. When dealing with paths from untrusted sources, callers of these functions should consider checking whether the returned path starts with '/' or '(' to avoid misinterpreting an unreachable path as a relative path.... ...getcwd() conforms to POSIX.1-2001. Note however that POSIX.1-2001 leaves the behavior of getcwd() unspecified if buf is NULL. The documentation is accurate regarding use of (unreachable) but most likely not according POSIX compliance. At least POSIX 2004 and 2008 are violated, 2001 version of standard seems not available for free. According to IEEE Std 1003.1-2008 specification of getcwd(): The getcwd() function shall place an absolute pathname of the current working directory in the array pointed to by buf, and return buf. The pathname shall contain no components that are dot or dot-dot, or are symbolic links. As it seems, that consequences from the change of interface specification on Linux kernel side only were not recognized by all affected parties. The realpath() function, which relies on using getcwd() to resolve relative path names still required the old behaviour. Also the manpage does not reflect the changes in underlying getcwd() call, see realpath(3). Libc side: glibc still assumes that kernel getcwd() would return absolute pathnames and relies on that behaviour when realpath() attempts to create a canonicalized absolute pathname: realpath() expands all symbolic links and resolves references to /./, /../ and extra '/' characters in the null-terminated string named by path to produce a canonicalized absolute pathname... When resolving a relative symbolic link, e.g. ../../x, realpath() will use the current working directory, assuming it will start with a /. The function starts at the end of the getcwd pathname to jump forward from slash to slash for each ../ found in the symbolic link to resolve. It does not check the boundaries of the buffer, thus may end up at a slash before the string buffer used to create the canonicalized absolute pathname. So resolving the link named above with getcwd() returning (unreachable)/, the second ../ will have moved the pointer before the buffer, the next part x is then copied to this memory location. As realpath usually operates on heap buffers. ### Methods This section describes how to improve a simple demonstrator to a complex, ASLR-aware high-reliable exploit. The steps used might not be the most elegant way to do so. Any hints for improvement are appreciated. To exploit the underflow for privilege escalation, the mount, unmount SUID binaries are most suitable targets: they process pathes using realpath(), do not drop privileges and can be invoked by any user. umount was selected as candidate as it allows to process more than one mountpoint per run, thus traversing the problematic code more than once. This seemed to be the best way to allow user controlled gradual memory editing, defeat of ASLR measures and finally quite reliable code execution. As umount realpath() operates on heap, the first step was to create a reproducible heap layout. This was done be removing all interfering environment variables and just working with those related to locale support. As locales are initialized before umount option parsing, this editing affectes the heap structure and content lower addresses than the buffer used in the fatal realpath() call. Therefore the current exploit relies on the availability of a single locale, but libc-bin on standard systems provides one: /usr/lib/locale/C.UTF-8. It is loaded by using the environment variable LC_ALL=C.UTF-8. After locale setup, the realpath buffer underflow will overwrite a slash in a locale string, used for loading of national language support (NLS) files, thus changing it to a relative pathname. Thus user controlled translations of umount error messages are loaded, giving write access to some memory adresses using the %n format feature of fprintf to modify memory. As the stack layout used by fprintf is fixed, any address references will work without considering ASLR. Luckily, one of those references points to the struct libmnt_context defined in libmount/src/mountP.h from util-linux: ``` struct libmnt_context { int action; /* MNT_ACT_{MOUNT,UMOUNT} */ int restricted; /* root or not? */ char *fstype_pattern; /* for mnt_match_fstype() */ char *optstr_pattern; /* for mnt_match_options() */ ... ``` As the restricted field is within reach, overwriting it will make umount believe, that it was started by root, even when it was not. This can be used for a quite simple DoS by unmounting the root filesystem, which will cause very funny side effects on running programs, e.g. aborts, SEGV, .... Follwing commands demonstrate the behaviour on fully patched Debian Stretch amd64 with libc6 2.24-11+deb9u1 and umount from package mount 2.29.2-1. Keep in mind, that this simplified POC operates on the umount process memory, thus will need adoption to other software versions: ``` # Enable USERNS clone as root for demonstration: root$ echo 1 > /proc/sys/kernel/unprivileged_userns_clone # As normal user create a new namespace: test$ /usr/bin/unshare -m -U --map-root-user /bin/sh # Caveat: following steps are performed as USERNS-root, not real # root user. root$ mount -t tmpfs tmpfs /tmp root$ cd /tmp root$ chmod 00755 . root$ mkdir -p -- "(unreachable)/tmp" "(unreachable)/tmp/from_archive/C/LC_MESSAGES" "(unreachable)/x" root$ ln -s ../x/../../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/A "(unreachable)/tmp/down" # Make mount unrestricted by overwriting struct libmnt_context, thus # affecting mnt_context_is_restricted in "libmount/src/context.c". root$ base64 -d <<B64-EOF | bzip2 -cd > "(unreachable)/tmp/from_archive/C/LC_MESSAGES/util-linux.mo" QlpoOTFBWSZTWTOfm9IAAGX/pn6UlARGB+FeKyZnAD/n3mACAAAgAAEgAJSIqfkpspk0eUGJ6gAG mQeoaD1PJAamlPJGCNMTIaNGmnqMQ0AAzSwpEWpQICVUw+490ohZBgZ+s4EBAZCn/TavSQshtCiv iG6HOehyAp4FPt3zkpdTxNchTYITLBkXUjsgpN2QDBNX8qmbpkVgfLXKcQc1ZhVF0FxUQOtnbGlL 5NhRmORwmQF1Dw3Yu1mds6tGAmnLwWwc2KRKGl5hcLuSKcKEgZz83pA= B64-EOF root$ echo "$$" 2299 # Now continue in another shell using the USERNS pid from before: test$ cd /proc/2299/cwd test$ LC_ALL=C.UTF-8 /bin/umount --lazy down / umount: AAlnAAAAAAAAAAA ``` The simplified single-stage POC from above has multiple drawbacks: it can only reliable toggle the permissions bit, thus allowing unmounting / causing DoS, but not arbitrary code execution. For that, ASLR has to be defeated first. This can be done by following sequence of events: * Start umount with large number of environment variables that containing "AANGUAGE=X.X", that are just one letter off from correct language settings. The large number of environment variables "sprays" the upper stack area with a long list of valid pointers. * Let umount call realpath() and underflow. When the error message is printed, a first-stage message catalogue file is loaded and the format string dumps the whole stack to stderr, remove the "restricted" bit similar to simplified POC and write a 'L' to the sprayed stack, modifying one entry to "LANGUAGE=X.X". * Due to change of language, umount will attemt to load another language catalogue. As the exploit prepared a pipe with that name, umount will block here giving the exploit the chance to synchronize, create an updated message catalogue and let umount continue. * The updated format strings now contain all offsets for the currently running binary. But the stack does not contain suitable pointers for writing and fprintf ignores changes of argument pointers while running because secure printf copies the values down the stack, where we cannot use them directly. Hence fprintf must be invoked more than once with the same (unmodified) format string, but still has to behave different on each invocation to overwrite different memory locations. This is done using the format string itself for arithmetics, each fprintf invocation as clock and the length of path-name input as instruction pointer, thus creating a simplified virtual machine. * The repeated format string processing changes the return pointer from main function to two other functions: getdate() and execl(). Those functions were choosen for ROP because a single call to system() would not work on Ubuntu. This is due to /bin/sh having a patch missing in Debian, that will reset the effective UID when not matching the the current UID. But as exec calls require a more complex stack/register configuration, let getdate() do the work for us. For escalation using umount, calling execve in the end should work also on SELinux/AppArmor hardened systems. Umount needs to call file system helpers during normal operation also. On other systems, execl() could be replaced by dlopen(), to inject code into running process. * The invoked program file contains a shebang to make the operating system invoke the exploit program as interpreter. The exploit then changes his own file ownership and mode to become a root SUID binary and terminates. Starting the shell here immediately would be possible, but the mount process has a strange set of environment variables, which is not so convenient for further shell use. Apart from that, by terminating the caller can detect successful escalation, perform all cleanup. * When the initial caller of mount notices the mode change of the file, it performs the cleanup and invokes the SUID binary to use its secondary function - a SUID shell, thus completing the escalation. All those steps are currently implemented in RationalLove.c apart for the code to create the namespace. Therefore the pid of a suitable namespace process has to be hardcoded before compiling. Here is the output of exploit invocation: ``` test@test$ ./RationalLove ./RationalLove: setting up environment ... ./RationalLove: using umount at "/bin/umount". Attempting to gain root, try 1 of 10 ... Starting subprocess Stack content received, calculating next phase Found source address location 0x7fffb6505d18 pointing to target address 0x7fffb6505de8 with value 0x7fffb650723f, libc offset is 0x7fffb6505d08 Changing return address from 0x7f9617db62b1 to 0x7f9617e41c30, 0x7f9617e4e900 Using escalation string %67$hn%71$hn%1$6116.6116s%65$hn%69$hn%1$1100.1100s%64$hn%1$25446.25446s%66$hn%70$hn%1$26986.26986s%68$hn%1$5888.5888s%1$23798.23798s%1$s%1$s%63$hn%1$s%1$s%1$s%1$s%1$s%1$s%1$186.186s%37$hn-%35$lx-%37$lx-%62$lx-%63$lx-%64$lx-%65$lx-%66$lx-%67$lx-%68$lx-%69$lx-%78$s Executable now root-owned Cleanup completed, re-invoking binary /proc/self/exe: invoked as SUID, invoking shell ... root@test# id uid=0(root) gid=0(root) groups=0(root),100(users) ``` ASLR could also be circumvented using a but in mount environment variable handling, see util-linux mount/unmount ASLR bypass via environment variable. ### Results, Discussion As for example, misbehaviour can be triggered when performing a getcwd call in a directory not visible in the current mount namespace of the process. See mount_namespaces man page for more information. Therefore a process has to reach such a directory within another namespace. There should be various ways to do that, e.g. using the proc filesystem to enter the working directory of another process (method used in exploit), by passing file descriptors via SCM_RIGHTS between cooperating processes in different namespaces. Therefore this vulnerability shows again the importance of system hardening by disabling USERNS when not needed. On a system with unprivileged USERNS enabled, an attacker can create all required namespaces. On other systems, it might be possible to use namespaces created by other processes using the proc access approach. These can be discovered using readlink /proc/*/ns/mnt | sort -u. While systemd-udevd just uses a namespace in a way required for exploitation, the /proc/[pid]/cwd link cannot accessed by unprivileged users. Still systemd-udevd is a good example, how hardening of a single application by namespaces might also create additional attack surface, not only in the application itself. Hence the attack method described here may also be appropriate to attack other applications using the same hardening measures, e.g. lxc or docker. Affected systems: Systems with Linux Kernel prepending getcwd() path with non-path components, e.g. to indicate unreachable pathes. Such code can be found in fs/dcache.c: ``` static int prepend_unreachable(char **buffer, int *buflen) { return prepend(buffer, buflen, "(unreachable)", 13); } ``` Most likely this code was created in analogy to the (deleted) suffix to indicate file handles to deleted files, e.g.: ``` test$ touch /tmp/x test$ exec 3</tmp/x test$ rm /tmp/x test$ readlink /proc/self/fd/3 /tmp/x (deleted) ``` Userspace: Currently only libc is proven to misbehave when Linux getcwd() returns a relative path. But other libraries or tools might also fail in unexpected ways due to that bug. ``` glibc: Here the underflow occurs in __realpath from stdlib/canonicalize.c: 42 char * 43 __realpath (const char *name, char *resolved) 44 { ... # When resolving a relative pathname, getcwd() is called: 86 if (name[0] != '/') 87 { 88 if (!__getcwd (rpath, path_max)) 89 { 90 rpath[0] = '\0'; 91 goto error; 92 } 93 dest = __rawmemchr (rpath, '\0'); 94 } 95 else ... # Loop over all name components: 101 for (start = end = name; *start; start = end) 102 { ... # If the name component is "..", remove it. This underflows the # buffer if rpath does not contain a starting slash. 118 else if (end - start == 2 && start[0] == '.' && start[1] == '.') 119 { 120 /* Back up to previous component, ignore if at root already. */ 121 if (dest > rpath + 1) 122 while ((--dest)[-1] != '/'); 123 } 124 else # The name component is not ".", "..", so copy the name to dest. 125 { 126 size_t new_size; 127 128 if (dest[-1] != '/') 129 *dest++ = '/'; ... Therefore a simple patch could be glibc-fail-on-unreachable-v1.patch (nearly UNTESTED, older version v0): --- stdlib/canonicalize.c 2018-01-05 07:28:38.000000000 +0000 +++ stdlib/canonicalize.c 2018-01-05 14:06:22.000000000 +0000 @@ -91,6 +91,11 @@ goto error; } dest = __rawmemchr (rpath, '\0'); +/* If path is empty, kernel failed in some ugly way. Realpath +has no error code for that, so die here. Otherwise search later +on would cause an underrun when getcwd() returns an empty string. +Thanks Willy Tarreau for pointing that out. */ + assert (dest != rpath); } else { @@ -118,8 +123,17 @@ else if (end - start == 2 && start[0] == '.' && start[1] == '.') { /* Back up to previous component, ignore if at root already. */ - if (dest > rpath + 1) - while ((--dest)[-1] != '/'); + dest--; + while ((dest != rpath) && (*--dest != '/')); + if ((dest == rpath) && (*dest != '/') { + /* Return EACCES to stay compliant to current documentation: + "Read or search permission was denied for a component of the + path prefix." Unreachable root directories should not be + accessed, see https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/ */ + __set_errno (EACCES); + goto error; + } + dest++; } else { ``` Outlook: It might be worth analyzing how ftp server implementation, webservers will react in such context. In some cases, this may require combination with application specific bugs or unexpected behaviour, e.g. ApacheNoFollowSymlinkTimerace. ### Timeline * 20171231: Reported to distros list as glibc errors should be reported to distros first. * 20180101: Info distros: kernel issue should be handled first. Reported to kernel security. * 20180102: Kernel security reply: getcwd() behaviour documented in "getcwd() 3" man pages, not an issue. Only libraries need fixing. * 20180107: Final high-reliability anti-ASLR exploit for Stretch/Xenial using getdate/execl * 20180110: CVE CVE-2018-1000001 assigned. * 20180111: Publication without exploit code. * 20180112: SUSE distributes fixes: SUSE-SU-2018:0071-1 * 20180116: Release of demonstrator code |
id | SSV:97106 |
last seen | 2018-01-26 |
modified | 2018-01-26 |
published | 2018-01-26 |
reporter | Root |
title | Libc Realpath缓冲区下溢漏洞(CVE-2018-1000001) |
References
- http://seclists.org/oss-sec/2018/q1/38
- http://seclists.org/oss-sec/2018/q1/38
- http://www.securityfocus.com/bid/102525
- http://www.securityfocus.com/bid/102525
- http://www.securitytracker.com/id/1040162
- http://www.securitytracker.com/id/1040162
- https://access.redhat.com/errata/RHSA-2018:0805
- https://access.redhat.com/errata/RHSA-2018:0805
- https://security.netapp.com/advisory/ntap-20190404-0003/
- https://security.netapp.com/advisory/ntap-20190404-0003/
- https://usn.ubuntu.com/3534-1/
- https://usn.ubuntu.com/3534-1/
- https://usn.ubuntu.com/3536-1/
- https://usn.ubuntu.com/3536-1/
- https://www.exploit-db.com/exploits/43775/
- https://www.exploit-db.com/exploits/43775/
- https://www.exploit-db.com/exploits/44889/
- https://www.exploit-db.com/exploits/44889/
- https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
- https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/