Vulnerabilities > CVE-2018-7485 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Unixodbc 2.3.5

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
unixodbc
CWE-119
critical
nessus

Summary

The SQLWriteFileDSN function in odbcinst/SQLWriteFileDSN.c in unixODBC 2.3.5 has strncpy arguments in the wrong order, which allows attackers to cause a denial of service or possibly have unspecified other impact.

Vulnerable Configurations

Part Description Count
Application
Unixodbc
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-2_0-0235_UNIXODBC.NASL
    descriptionAn update of the unixODBC package has been released.
    last seen2020-05-08
    modified2020-05-05
    plugin id136336
    published2020-05-05
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136336
    titlePhoton OS 2.0: Unixodbc PHSA-2020-2.0-0235
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2020-2.0-0235. The text
    # itself is copyright (C) VMware, Inc.
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(136336);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/06");
    
      script_cve_id("CVE-2018-7409", "CVE-2018-7485");
      script_bugtraq_id(103193);
    
      script_name(english:"Photon OS 2.0: Unixodbc PHSA-2020-2.0-0235");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote PhotonOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "An update of the unixODBC package has been released.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-2-235.md");
      script_set_attribute(attribute:"solution", value:
    "Update the affected Linux packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-7485");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/05");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:unixODBC");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 2\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"unixODBC-2.3.7-1.ph2")) flag++;
    if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"unixODBC-debuginfo-2.3.7-1.ph2")) flag++;
    if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"unixODBC-devel-2.3.7-1.ph2")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "unixODBC");
    }
    
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0195_UNIXODBC.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has unixODBC packages installed that are affected by multiple vulnerabilities: - The SQLWriteFileDSN function in odbcinst/SQLWriteFileDSN.c in unixODBC 2.3.5 has strncpy arguments in the wrong order, which allows attackers to cause a denial of service or possibly have unspecified other impact. (CVE-2018-7485) - In unixODBC before 2.3.5, there is a buffer overflow in the unicode_to_ansi_copy() function in DriverManager/__info.c. (CVE-2018-7409) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id129891
    published2019-10-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129891
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : unixODBC Multiple Vulnerabilities (NS-SA-2019-0195)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0195. The text
    # itself is copyright (C) ZTE, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129891);
      script_version("1.2");
      script_cvs_date("Date: 2019/10/17 14:31:05");
    
      script_cve_id("CVE-2018-7409", "CVE-2018-7485");
    
      script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : unixODBC Multiple Vulnerabilities (NS-SA-2019-0195)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has unixODBC packages installed that are affected
    by multiple vulnerabilities:
    
      - The SQLWriteFileDSN function in
        odbcinst/SQLWriteFileDSN.c in unixODBC 2.3.5 has strncpy
        arguments in the wrong order, which allows attackers to
        cause a denial of service or possibly have unspecified
        other impact. (CVE-2018-7485)
    
      - In unixODBC before 2.3.5, there is a buffer overflow in
        the unicode_to_ansi_copy() function in
        DriverManager/__info.c. (CVE-2018-7409)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0195");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL unixODBC packages. Note that updated packages may not be available yet. Please contact ZTE
    for more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-7485");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/15");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL CORE 5.04" &&
        release !~ "CGSL MAIN 5.04")
      audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL CORE 5.04": [
        "unixODBC-2.3.1-14.el7",
        "unixODBC-debuginfo-2.3.1-14.el7",
        "unixODBC-devel-2.3.1-14.el7"
      ],
      "CGSL MAIN 5.04": [
        "unixODBC-2.3.1-14.el7",
        "unixODBC-debuginfo-2.3.1-14.el7",
        "unixODBC-devel-2.3.1-14.el7"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "unixODBC");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2336.NASL
    descriptionAn update for unixODBC is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The unixODBC packages contain a framework that supports accessing databases through the ODBC protocol. Security Fix(es) : * unixODBC: Buffer overflow in unicode_to_ansi_copy() can lead to crash or other unspecified impact (CVE-2018-7409) * unixODBC: Insecure buffer copy in SQLWriteFileDSN function in odbcinst/ SQLWriteFileDSN.c (CVE-2018-7485) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127714
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127714
    titleRHEL 7 : unixODBC (RHSA-2019:2336)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:2336. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127714);
      script_version("1.5");
      script_cvs_date("Date: 2020/01/06");
    
      script_cve_id("CVE-2018-7409", "CVE-2018-7485");
      script_xref(name:"RHSA", value:"2019:2336");
    
      script_name(english:"RHEL 7 : unixODBC (RHSA-2019:2336)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for unixODBC is now available for Red Hat Enterprise Linux
    7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The unixODBC packages contain a framework that supports accessing
    databases through the ODBC protocol.
    
    Security Fix(es) :
    
    * unixODBC: Buffer overflow in unicode_to_ansi_copy() can lead to
    crash or other unspecified impact (CVE-2018-7409)
    
    * unixODBC: Insecure buffer copy in SQLWriteFileDSN function in
    odbcinst/ SQLWriteFileDSN.c (CVE-2018-7485)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section.
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.7 Release Notes linked from the References section."
      );
      # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3395ff0b"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:2336"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-7409"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-7485"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected unixODBC, unixODBC-debuginfo and / or
    unixODBC-devel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:unixODBC");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:unixODBC-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:unixODBC-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/08/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:2336";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", reference:"unixODBC-2.3.1-14.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"unixODBC-debuginfo-2.3.1-14.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"unixODBC-devel-2.3.1-14.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "unixODBC / unixODBC-debuginfo / unixODBC-devel");
      }
    }
    
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0241_UNIXODBC.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has unixODBC packages installed that are affected by multiple vulnerabilities: - The SQLWriteFileDSN function in odbcinst/SQLWriteFileDSN.c in unixODBC 2.3.5 has strncpy arguments in the wrong order, which allows attackers to cause a denial of service or possibly have unspecified other impact. (CVE-2018-7485) - In unixODBC before 2.3.5, there is a buffer overflow in the unicode_to_ansi_copy() function in DriverManager/__info.c. (CVE-2018-7409) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id132448
    published2019-12-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132448
    titleNewStart CGSL CORE 5.05 / MAIN 5.05 : unixODBC Multiple Vulnerabilities (NS-SA-2019-0241)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0241. The text
    # itself is copyright (C) ZTE, Inc.
    
    include('compat.inc');
    
    if (description)
    {
      script_id(132448);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/02");
    
      script_cve_id("CVE-2018-7409", "CVE-2018-7485");
      script_bugtraq_id(103193);
    
      script_name(english:"NewStart CGSL CORE 5.05 / MAIN 5.05 : unixODBC Multiple Vulnerabilities (NS-SA-2019-0241)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has unixODBC packages installed that are affected
    by multiple vulnerabilities:
    
      - The SQLWriteFileDSN function in
        odbcinst/SQLWriteFileDSN.c in unixODBC 2.3.5 has strncpy
        arguments in the wrong order, which allows attackers to
        cause a denial of service or possibly have unspecified
        other impact. (CVE-2018-7485)
    
      - In unixODBC before 2.3.5, there is a buffer overflow in
        the unicode_to_ansi_copy() function in
        DriverManager/__info.c. (CVE-2018-7409)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0241");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL unixODBC packages. Note that updated packages may not be available yet. Please contact ZTE
    for more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-7485");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/31");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL CORE 5.05" &&
        release !~ "CGSL MAIN 5.05")
      audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL CORE 5.05": [
        "unixODBC-2.3.1-14.el7",
        "unixODBC-debuginfo-2.3.1-14.el7",
        "unixODBC-devel-2.3.1-14.el7"
      ],
      "CGSL MAIN 5.05": [
        "unixODBC-2.3.1-14.el7",
        "unixODBC-debuginfo-2.3.1-14.el7",
        "unixODBC-devel-2.3.1-14.el7"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "unixODBC");
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1354.NASL
    descriptionA buffer overflow flaw was found in the unicode_to_ansi_copy() function of unixODBC. This overflow is not directly controllable by an attacker making the maximum potential impact a crash or denial of service.(CVE-2018-7409) An argument order confusion flaw was found in the SQLWriteFileDSN API of unixODBC. This could only be exploited via a malicious ODBC database connector package with the maximum impact being a denial of service. (CVE-2018-7485)
    last seen2020-06-01
    modified2020-06-02
    plugin id130605
    published2019-11-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130605
    titleAmazon Linux 2 : unixODBC (ALAS-2019-1354)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux 2 Security Advisory ALAS-2019-1354.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130605);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/17");
    
      script_cve_id("CVE-2018-7409", "CVE-2018-7485");
      script_xref(name:"ALAS", value:"2019-1354");
    
      script_name(english:"Amazon Linux 2 : unixODBC (ALAS-2019-1354)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux 2 host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A buffer overflow flaw was found in the unicode_to_ansi_copy()
    function of unixODBC. This overflow is not directly controllable by an
    attacker making the maximum potential impact a crash or denial of
    service.(CVE-2018-7409)
    
    An argument order confusion flaw was found in the SQLWriteFileDSN API
    of unixODBC. This could only be exploited via a malicious ODBC
    database connector package with the maximum impact being a denial of
    service. (CVE-2018-7485)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/AL2/ALAS-2019-1354.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update unixODBC' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:unixODBC");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:unixODBC-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:unixODBC-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/11/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "2")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"AL2", reference:"unixODBC-2.3.1-14.amzn2")) flag++;
    if (rpm_check(release:"AL2", reference:"unixODBC-debuginfo-2.3.1-14.amzn2")) flag++;
    if (rpm_check(release:"AL2", reference:"unixODBC-devel-2.3.1-14.amzn2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "unixODBC / unixODBC-debuginfo / unixODBC-devel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2267.NASL
    descriptionAccording to the versions of the unixODBC packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In unixODBC before 2.3.5, there is a buffer overflow in the unicode_to_ansi_copy() function in DriverManager/__info.c.(CVE-2018-7409) - The SQLWriteFileDSN function in odbcinst/SQLWriteFileDSN.c in unixODBC 2.3.5 has strncpy arguments in the wrong order, which allows attackers to cause a denial of service or possibly have unspecified other impact.(CVE-2018-7485) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-11-08
    plugin id130729
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130729
    titleEulerOS 2.0 SP3 : unixODBC (EulerOS-SA-2019-2267)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190806_UNIXODBC_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - unixODBC: Buffer overflow in unicode_to_ansi_copy() can lead to crash or other unspecified impact (CVE-2018-7409) - unixODBC: Insecure buffer copy in SQLWriteFileDSN function in odbcinst/SQLWriteFileDSN.c (CVE-2018-7485)
    last seen2020-03-18
    modified2019-08-27
    plugin id128268
    published2019-08-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128268
    titleScientific Linux Security Update : unixODBC on SL7.x x86_64 (20190806)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1832-1.NASL
    descriptionThis update for unixODBC to version 2.3.6 fixes the following issues : - CVE-2018-7409: Buffer overflow in unicode_to_ansi_copy() was fixed in 2.3.5 (bsc#1082290) - CVE-2018-7485: Swapped arguments in SQLWriteFileDSN() in odbcinst/SQLWriteFileDSN.c (bsc#1082484) Other fixes : - Enabled --enable-fastvalidate option in configure (bsc#1044970) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110764
    published2018-06-28
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110764
    titleSUSE SLED12 / SLES12 Security Update : unixODBC (SUSE-SU-2018:1832-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-9565C0BC9A.NASL
    descriptionupdate to version 2.3.7 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120631
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120631
    titleFedora 28 : unixODBC (2018-9565c0bc9a)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-684.NASL
    descriptionThis update for unixODBC to version 2.3.6 fixes the following issues : - CVE-2018-7409: Buffer overflow in unicode_to_ansi_copy() was fixed in 2.3.5 (bsc#1082290) - CVE-2018-7485: Swapped arguments in SQLWriteFileDSN() in odbcinst/SQLWriteFileDSN.c (bsc#1082484) Other fixes : - Enabled --enable-fastvalidate option in configure (bsc#1044970) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2018-07-02
    plugin id110829
    published2018-07-02
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110829
    titleopenSUSE Security Update : unixODBC (openSUSE-2018-684)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2336.NASL
    descriptionAn update for unixODBC is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The unixODBC packages contain a framework that supports accessing databases through the ODBC protocol. Security Fix(es) : * unixODBC: Buffer overflow in unicode_to_ansi_copy() can lead to crash or other unspecified impact (CVE-2018-7409) * unixODBC: Insecure buffer copy in SQLWriteFileDSN function in odbcinst/ SQLWriteFileDSN.c (CVE-2018-7485) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128392
    published2019-08-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128392
    titleCentOS 7 : unixODBC (CESA-2019:2336)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2494.NASL
    descriptionAccording to the versions of the unixODBC packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Install unixODBC if you want to access databases through ODBC.You will also need the mysql-connector-odbc package if you want to access a MySQL database, and/or the postgresql-odbc package for PostgreSQL.Security Fix(es):The SQLWriteFileDSN function in odbcinst/SQLWriteFileDSN.c in unixODBC 2.3.5 has strncpy arguments in the wrong order, which allows attackers to cause a denial of service or possibly have unspecified other impact.(CVE-2018-7485)In unixODBC before 2.3.5, there is a buffer overflow in the unicode_to_ansi_copy() function in DriverManager/__info.c.(CVE-2018-7409) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-12-04
    plugin id131647
    published2019-12-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131647
    titleEulerOS 2.0 SP2 : unixODBC (EulerOS-SA-2019-2494)

Redhat

advisories
bugzilla
id1549636
titleCVE-2018-7485 unixODBC: Insecure buffer copy in SQLWriteFileDSN function in odbcinst/SQLWriteFileDSN.c
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentunixODBC is earlier than 0:2.3.1-14.el7
          ovaloval:com.redhat.rhsa:tst:20192336001
        • commentunixODBC is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20192336002
      • AND
        • commentunixODBC-devel is earlier than 0:2.3.1-14.el7
          ovaloval:com.redhat.rhsa:tst:20192336003
        • commentunixODBC-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20192336004
rhsa
idRHSA-2019:2336
released2019-08-06
severityModerate
titleRHSA-2019:2336: unixODBC security update (Moderate)
rpms
  • unixODBC-0:2.3.1-14.el7
  • unixODBC-debuginfo-0:2.3.1-14.el7
  • unixODBC-devel-0:2.3.1-14.el7