Vulnerabilities > CVE-2018-1084 - Integer Overflow or Wraparound vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
corosync
debian
redhat
canonical
CWE-190
nessus

Summary

corosync before version 2.4.4 is vulnerable to an integer overflow in exec/totemcrypto.c.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2018-1014.NASL
    descriptionInteger overflow in exec/totemcrypto.c:authenticate_nss_2_3() function An integer overflow leading to an out-of-bound read was found in authenticate_nss_2_3() in Corosync. An attacker could craft a malicious packet that would lead to a denial of service.(CVE-2018-1084)
    last seen2020-06-01
    modified2020-06-02
    plugin id109693
    published2018-05-11
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109693
    titleAmazon Linux 2 : corosync (ALAS-2018-1014)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux 2 Security Advisory ALAS-2018-1014.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109693);
      script_version("1.5");
      script_cvs_date("Date: 2018/08/31 12:25:00");
    
      script_cve_id("CVE-2018-1084");
      script_xref(name:"ALAS", value:"2018-1014");
      script_xref(name:"IAVA", value:"2018-A-0127");
    
      script_name(english:"Amazon Linux 2 : corosync (ALAS-2018-1014)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux 2 host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Integer overflow in exec/totemcrypto.c:authenticate_nss_2_3() function
    
    An integer overflow leading to an out-of-bound read was found in
    authenticate_nss_2_3() in Corosync. An attacker could craft a
    malicious packet that would lead to a denial of
    service.(CVE-2018-1084)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/AL2/ALAS-2018-1014.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update corosync' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:corosync");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:corosync-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:corosync-qdevice");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:corosync-qnetd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:corosynclib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:corosynclib-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/11");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "2")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"corosync-2.4.3-2.amzn2.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"corosync-debuginfo-2.4.3-2.amzn2.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"corosync-qdevice-2.4.3-2.amzn2.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"corosync-qnetd-2.4.3-2.amzn2.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"corosynclib-2.4.3-2.amzn2.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"corosynclib-devel-2.4.3-2.amzn2.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "corosync / corosync-debuginfo / corosync-qdevice / corosync-qnetd / etc");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-D87E29047D.NASL
    descriptionNew upstream release with security fix for CVE-2018-1084 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-04-20
    plugin id109189
    published2018-04-20
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109189
    titleFedora 26 : corosync (2018-d87e29047d)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-1169.NASL
    descriptionAn update for corosync is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The corosync packages provide the Corosync Cluster Engine and C APIs for Red Hat Enterprise Linux cluster software. Security Fix(es) : * corosync: Integer overflow in exec/totemcrypto.c:authenticate_nss_2_3() function (CVE-2018-1084) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Citrix Security Response Team for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id110239
    published2018-05-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110239
    titleCentOS 7 : corosync (CESA-2018:1169)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180417_COROSYNC_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - corosync: Integer overflow in exec/totemcrypto.c:authenticate_nss_2_3() function (CVE-2018-1084)
    last seen2020-03-18
    modified2018-05-01
    plugin id109460
    published2018-05-01
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109460
    titleScientific Linux Security Update : corosync on SL7.x x86_64 (20180417)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-B0253649BE.NASL
    descriptionNew upstream release with security fix for CVE-2018-1084 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-04-19
    plugin id109151
    published2018-04-19
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109151
    titleFedora 27 : corosync (2018-b0253649be)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4174.NASL
    descriptionThe Citrix Security Response Team discovered that corosync, a cluster engine implementation, allowed an unauthenticated user to cause a denial-of-service by application crash.
    last seen2020-06-01
    modified2020-06-02
    plugin id109092
    published2018-04-18
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109092
    titleDebian DSA-4174-1 : corosync - security update
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-1169.NASL
    descriptionFrom Red Hat Security Advisory 2018:1169 : An update for corosync is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The corosync packages provide the Corosync Cluster Engine and C APIs for Red Hat Enterprise Linux cluster software. Security Fix(es) : * corosync: Integer overflow in exec/totemcrypto.c:authenticate_nss_2_3() function (CVE-2018-1084) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Citrix Security Response Team for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id109439
    published2018-05-01
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109439
    titleOracle Linux 7 : corosync (ELSA-2018-1169)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-12DA088117.NASL
    descriptionNew upstream release with security fix for CVE-2018-1084 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120244
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120244
    titleFedora 28 : corosync (2018-12da088117)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4000-1.NASL
    descriptionIt was discovered that Corosync incorrectly handled certain requests. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id125623
    published2019-05-31
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125623
    titleUbuntu 16.04 LTS / 18.04 LTS : corosync vulnerability (USN-4000-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-417.NASL
    descriptionThis update for corosync fixes the following issues : - CVE-2018-1084: Integer overflow in totemcrypto:authenticate_nss_2_3() could lead to command execution (bsc#1089346) - Providing an empty uid or gid results in coroparse adding uid 0. (bsc#1066585) - Fix a problem with configuration file incompatibilities that was causing corosync to not work after upgrading from SLE-11-SP4-HA to SLE-12/15-HA. (bsc#1083561) This update was imported from the SUSE:SLE-12-SP3:Update update project.
    last seen2020-06-05
    modified2018-05-03
    plugin id109541
    published2018-05-03
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109541
    titleopenSUSE Security Update : corosync (openSUSE-2018-417)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0046_COROSYNC.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has corosync packages installed that are affected by a vulnerability: - An integer overflow leading to an out-of-bound read was found in authenticate_nss_2_3() in Corosync. An attacker could craft a malicious packet that would lead to a denial of service. (CVE-2018-1084) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127226
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127226
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : corosync Vulnerability (NS-SA-2019-0046)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1169.NASL
    descriptionAn update for corosync is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The corosync packages provide the Corosync Cluster Engine and C APIs for Red Hat Enterprise Linux cluster software. Security Fix(es) : * corosync: Integer overflow in exec/totemcrypto.c:authenticate_nss_2_3() function (CVE-2018-1084) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Citrix Security Response Team for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id109117
    published2018-04-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109117
    titleRHEL 7 : corosync (RHSA-2018:1169)

Redhat

advisories
bugzilla
id1552830
titleCVE-2018-1084 corosync: Integer overflow in exec/totemcrypto.c:authenticate_nss_2_3() function
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentcorosync is earlier than 0:2.4.3-2.el7_5.1
          ovaloval:com.redhat.rhsa:tst:20181169001
        • commentcorosync is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20181169002
      • AND
        • commentcorosynclib is earlier than 0:2.4.3-2.el7_5.1
          ovaloval:com.redhat.rhsa:tst:20181169003
        • commentcorosynclib is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20181169004
      • AND
        • commentcorosynclib-devel is earlier than 0:2.4.3-2.el7_5.1
          ovaloval:com.redhat.rhsa:tst:20181169005
        • commentcorosynclib-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20181169006
      • AND
        • commentcorosync-qdevice is earlier than 0:2.4.3-2.el7_5.1
          ovaloval:com.redhat.rhsa:tst:20181169007
        • commentcorosync-qdevice is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20181169008
      • AND
        • commentcorosync-qnetd is earlier than 0:2.4.3-2.el7_5.1
          ovaloval:com.redhat.rhsa:tst:20181169009
        • commentcorosync-qnetd is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20181169010
rhsa
idRHSA-2018:1169
released2018-04-17
severityImportant
titleRHSA-2018:1169: corosync security update (Important)
rpms
  • corosync-0:2.4.3-2.el7_5.1
  • corosync-debuginfo-0:2.4.3-2.el7_5.1
  • corosync-qdevice-0:2.4.3-2.el7_5.1
  • corosync-qnetd-0:2.4.3-2.el7_5.1
  • corosynclib-0:2.4.3-2.el7_5.1
  • corosynclib-devel-0:2.4.3-2.el7_5.1