Vulnerabilities > CVE-2018-11440 - Out-of-bounds Write vulnerability in multiple products

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(111184);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");

  script_cve_id(
    "CVE-2018-11440",
    "CVE-2018-11683",
    "CVE-2018-11684",
    "CVE-2018-11685"
  );

  script_name(english:"EulerOS 2.0 SP2 : liblouis (EulerOS-SA-2018-1222)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the liblouis packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

  - Liblouis 3.5.0 has a stack-based Buffer Overflow in the
    function parseChars in
    compileTranslationTable.c.(CVE-2018-11440)

  - Liblouis 3.5.0 has a stack-based Buffer Overflow in the
    function parseChars in compileTranslationTable.c, a
    different vulnerability than
    CVE-2018-11440.(CVE-2018-11683)

  - Liblouis 3.5.0 has a stack-based Buffer Overflow in the
    function includeFile in
    compileTranslationTable.c.(CVE-2018-11684)

  - Liblouis 3.5.0 has a stack-based Buffer Overflow in the
    function compileHyphenation in
    compileTranslationTable.c.(CVE-2018-11685)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1222
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d0686ec0");
  script_set_attribute(attribute:"solution", value:
"Update the affected liblouis packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:liblouis");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:liblouis-python");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["liblouis-2.5.2-12.h4",
        "liblouis-python-2.5.2-12.h4"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "liblouis");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2018-1039.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(117687);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2018-11440", "CVE-2018-11577", "CVE-2018-11683", "CVE-2018-11684", "CVE-2018-11685", "CVE-2018-12085");

  script_name(english:"openSUSE Security Update : liblouis (openSUSE-2018-1039)");
  script_summary(english:"Check for the openSUSE-2018-1039 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for liblouis fixes the following issues :

Security issues fixed :

  - CVE-2018-11440: Fixed a stack-based buffer overflow in
    the function parseChars() in compileTranslationTable.c
    (bsc#1095189)

  - CVE-2018-11577: Fixed a segmentation fault in
    lou_logPrint in logging.c (bsc#1095945)

  - CVE-2018-11683: Fixed a stack-based buffer overflow in
    the function parseChars() in compileTranslationTable.c
    (different vulnerability than CVE-2018-11440)
    (bsc#1095827)

  - CVE-2018-11684: Fixed stack-based buffer overflow in the
    function includeFile() in compileTranslationTable.c
    (bsc#1095826)

  - CVE-2018-11685: Fixed a stack-based buffer overflow in
    the function compileHyphenation() in
    compileTranslationTable.c (bsc#1095825)

  - CVE-2018-12085: Fixed a stack-based buffer overflow in
    the function parseChars() in compileTranslationTable.c
    (different vulnerability than CVE-2018-11440)
    (bsc#1097103)

This update was imported from the SUSE:SLE-12-SP2:Update update
project."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1095189"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1095825"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1095826"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1095827"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1095945"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1097103"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected liblouis packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:liblouis-data");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:liblouis-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:liblouis-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:liblouis-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:liblouis-tools-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:liblouis9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:liblouis9-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:python-louis");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/09/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/25");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE42.3", reference:"liblouis-data-2.6.4-9.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"liblouis-debugsource-2.6.4-9.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"liblouis-devel-2.6.4-9.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"liblouis-tools-2.6.4-9.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"liblouis-tools-debuginfo-2.6.4-9.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"liblouis9-2.6.4-9.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"liblouis9-debuginfo-2.6.4-9.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"python-louis-2.6.4-9.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "liblouis-data / liblouis-debugsource / liblouis-devel / etc");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(121309);
  script_version("1.2");
  script_cvs_date("Date: 2019/10/31 15:18:51");

  script_cve_id(
    "CVE-2018-12086",
    "CVE-2018-12585",
    "CVE-2018-18225",
    "CVE-2018-18226",
    "CVE-2018-18227"
  );
  script_bugtraq_id(105538, 105583);

  script_name(english:"Wireshark 2.4.x < 2.4.10 / 2.6.x < 2.6.4 Multiple Vulnerabilities (macOS)");
  script_summary(english:"Checks the version of Wireshark.");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote macOS / Mac OS X host is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Wireshark installed on the remote macOS / Mac OS X
host is 2.4.x prior to 2.4.10 / 2.6.x prior to 2.6.4. It is,
therefore, affected by multiple vulnerabilities.

  - A buffer overflow condition exists in OPC UA applications due to
    failure to handle exceptional conditions. An unauthenticated
    remote attacker can exploit this via carefully structured requests
    to cause a denial of service condition or the execution of
    arbitrary code. (CVE-2018-12086)

  - A stack-based buffer overflow condition exists in Liblouis 3.6.0
    in the function parseChars in compileTranslationTable.c, a
    different vulnerability than CVE-2018-11440 due to failure to
    handle exceptional conditions. An unauthenticated remote attacker
    can exploit this to cause a denial of service condition or the
    execution of arbitrary code. (CVE-2018-12585)

  - Multiple denial of service vulnerabilities exist in the following
    protocol dissectors: CoAP, IHS Discovery, the MS-WSP due to
    improper handling of exceptional conditions. An unauthenticated
    remote attacker can exploit this to cause Wireshark to crash by
    injecting a malformed packet onto the wire, or by convincing a
    user to read a malformed packet trace file.
    (CVE-2018-18225, CVE-2018-18226, CVE-2018-18227)");
  script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/docs/relnotes/wireshark-2.6.4.html");
  script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2018-47.html");
  script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2018-48.html");
  script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2018-49.html");
  script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2018-50.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Wireshark version 2.4.10 / 2.6.4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-12585");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/10/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wireshark:wireshark");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_wireshark_installed.nbin");
  script_require_keys("installed_sw/Wireshark", "Host/MacOSX/Version", "Host/local_checks_enabled");

  exit(0);
}

include("vcf.inc");

get_kb_item_or_exit("Host/MacOSX/Version");

app_info = vcf::get_app_info(app:"Wireshark");

constraints = [
  { "min_version" : "2.6.0", "fixed_version" : "2.6.4" },
  { "min_version" : "2.4.0", "fixed_version" : "2.4.10" }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(111648);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");

  script_cve_id(
    "CVE-2018-11440",
    "CVE-2018-11683",
    "CVE-2018-11684",
    "CVE-2018-11685"
  );

  script_name(english:"EulerOS 2.0 SP3 : liblouis (EulerOS-SA-2018-1228)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the liblouis packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

  - Liblouis 3.5.0 has a stack-based Buffer Overflow in the
    function parseChars in
    compileTranslationTable.c.(CVE-2018-11440)

  - Liblouis 3.5.0 has a stack-based Buffer Overflow in the
    function parseChars in compileTranslationTable.c, a
    different vulnerability than
    CVE-2018-11440.(CVE-2018-11683)

  - Liblouis 3.5.0 has a stack-based Buffer Overflow in the
    function includeFile in
    compileTranslationTable.c.(CVE-2018-11684)

  - Liblouis 3.5.0 has a stack-based Buffer Overflow in the
    function compileHyphenation in
    compileTranslationTable.c.(CVE-2018-11685)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1228
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b40f0c1c");
  script_set_attribute(attribute:"solution", value:
"Update the affected liblouis packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:liblouis");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:liblouis-python");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["liblouis-2.5.2-12.h4",
        "liblouis-python-2.5.2-12.h4"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "liblouis");
}