Vulnerabilities > CVE-2018-7548 - NULL Pointer Dereference vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In subst.c in zsh through 5.4.2, there is a NULL pointer dereference when using ${(PA)...} on an empty array result.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0028.NASL description An update of {'zsh'} packages of Photon OS has been released. last seen 2019-02-08 modified 2019-02-07 plugin id 111292 published 2018-07-24 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111292 title Photon OS 2.0 : zsh (PhotonOS-PHSA-2018-2.0-0028) (deprecated) code # # (C) Tenable Network Security, Inc. # # @DEPRECATED@ # # Disabled on 2/7/2019 # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2018-2.0-0028. The text # itself is copyright (C) VMware, Inc. include("compat.inc"); if (description) { script_id(111292); script_version("1.2"); script_cvs_date("Date: 2019/02/07 18:59:50"); script_cve_id("CVE-2018-7548"); script_name(english:"Photon OS 2.0 : zsh (PhotonOS-PHSA-2018-2.0-0028) (deprecated)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "This plugin has been deprecated."); script_set_attribute(attribute:"description", value: "An update of {'zsh'} packages of Photon OS has been released."); # https://github.com/vmware/photon/wiki/Security-Updates-2-28 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?17a379c5"); script_set_attribute(attribute:"solution", value:"n/a."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-7548"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/24"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:zsh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } exit(0, "This plugin has been deprecated."); include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 2\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; pkgs = [ "zsh-5.3.1-5.ph2", "zsh-debuginfo-5.3.1-5.ph2", "zsh-html-5.3.1-5.ph2" ]; foreach (pkg in pkgs) if (rpm_check(release:"PhotonOS-2.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "zsh"); }
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201805-10.NASL description The remote host is affected by the vulnerability described in GLSA-201805-10 (Zsh: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Zsh. Please review the CVE identifiers referenced below for details. Impact : A local attacker could execute arbitrary code, escalate privileges, or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 110174 published 2018-05-29 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/110174 title GLSA-201805-10 : Zsh: Multiple vulnerabilities NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0028_ZSH.NASL description An update of the zsh package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121928 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121928 title Photon OS 2.0: Zsh PHSA-2018-2.0-0028 NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3593-1.NASL description It was discovered that Zsh incorrectly handled certain enviroment variables. An attacker could possibly use this issue to gain privileged access to the system. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-10070) It was discovered that Zsh incorrectly handled certain inputs. An attacker could possibly use this to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-10071) It was discovered that Zsh incorrectly handled some symbolic links. An attacker could possibly use this to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-10072) It was discovered that Zsh incorrectly handled certain errors. An attacker could possibly use this issue to cause a denial of service. (CVE-2016-10714) It was discovered that Zsh incorrectly handled certain commands. An attacker could possibly use this to execute arbitrary code. (CVE-2017-18205) It was discovered that Zsh incorrectly handled certain symlinks. An attacker could possibly use this to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-18206) It was discovered that Zsh incorrectly handled certain inputs. An attacker could possible use to execute arbitrary code. This issue only affected Ubuntu 17.10. (CVE-2018-7548) It was discovered that Zsh incorrectly handled certain inputs. An attacker could possibly use this to cause a denial of service. (CVE-2018-7549). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 107257 published 2018-03-09 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107257 title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : zsh vulnerabilities (USN-3593-1) NASL family Fedora Local Security Checks NASL id FEDORA_2018-D2DCDBB051.NASL description - avoid crash when copying empty hash table (CVE-2018-7549) - avoid NULL dereference when using ```${(PA)...}``` on an empty array (CVE-2018-7548) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120817 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120817 title Fedora 28 : zsh (2018-d2dcdbb051) NASL family Fedora Local Security Checks NASL id FEDORA_2018-9CDF18A850.NASL description - avoid crash when copying empty hash table (CVE-2018-7549) - avoid NULL dereference when using ```${(PA)...}``` on an empty array (CVE-2018-7548) - fix buffer overrun in xsymlinks (CVE-2017-18206) - fix NULL dereference in cd (CVE-2017-18205) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-03-21 plugin id 108506 published 2018-03-21 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108506 title Fedora 26 : zsh (2018-9cdf18a850) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2019-013-01.NASL description New zsh packages are available for Slackware 14.0, 14.1, and 14.2 to fix security issues. last seen 2020-03-17 modified 2019-01-14 plugin id 121145 published 2019-01-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121145 title Slackware 14.0 / 14.1 / 14.2 : zsh (SSA:2019-013-01) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2018-986.NASL description NULL dereference in cd in sh compatibility mode under given circumstances In builtin.c in zsh before 5.4, when sh compatibility mode is used, there is a NULL pointer dereference during processing of the cd command with no argument if HOME is not set. (CVE-2017-18205) NULL pointer deref when using ${(PA)...} on an empty array result : In subst.c in zsh through 5.4.2, there is a NULL pointer dereference when using ${(PA)...} on an empty array result. (CVE-2018-7548) Buffer overrun in xsymlinks In utils.c in zsh before 5.4, symlink expansion had a buffer overflow. (CVE-2017-18206) Crash on copying empty hash table In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstrated by typeset -p. (CVE-2018-7549) last seen 2020-06-01 modified 2020-06-02 plugin id 109139 published 2018-04-18 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109139 title Amazon Linux 2 : zsh (ALAS-2018-986) NASL family Fedora Local Security Checks NASL id FEDORA_2018-019A32A468.NASL description - avoid crash when copying empty hash table (CVE-2018-7549) - avoid NULL dereference when using ```${(PA)...}``` on an empty array (CVE-2018-7548) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-03-14 plugin id 108306 published 2018-03-14 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108306 title Fedora 27 : zsh (2018-019a32a468)
References
- https://security.gentoo.org/glsa/201805-10
- https://security.gentoo.org/glsa/201805-10
- https://sourceforge.net/p/zsh/code/ci/110b13e1090bc31ac1352b28adc2d02b6d25a102
- https://sourceforge.net/p/zsh/code/ci/110b13e1090bc31ac1352b28adc2d02b6d25a102
- https://usn.ubuntu.com/3593-1/
- https://usn.ubuntu.com/3593-1/