Vulnerabilities > CVE-2018-7548 - NULL Pointer Dereference vulnerability in multiple products

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

zsh

canonical

CWE-476

critical

nessus

NVD

Published: 2018-02-27

Updated: 2019-03-05

Summary

In subst.c in zsh through 5.4.2, there is a NULL pointer dereference when using ${(PA)...} on an empty array result.

Vulnerable Configurations

Part	Description	Count
Application	Zsh ZSH ZSH 3.1.5 ZSH ZSH 3.1.6 ZSH ZSH 3.1.7 ZSH ZSH 3.1.8 ZSH ZSH 3.1.9 ZSH ZSH 4.0.1 ZSH ZSH 4.0.2 ZSH ZSH 4.0.3 ZSH ZSH 4.0.4 ZSH ZSH 4.0.5 ZSH ZSH 4.0.6 ZSH ZSH 4.0.7 ZSH ZSH 4.0.8 ZSH ZSH 4.0.9 ZSH ZSH 4.1.0 ZSH ZSH 4.1.1 ZSH ZSH 4.2.0 ZSH ZSH 4.2.1 ZSH ZSH 4.2.2 ZSH ZSH 4.2.3 ZSH ZSH 4.2.4 ZSH ZSH 4.2.5 ZSH ZSH 4.2.6 ZSH ZSH 4.3.0 ZSH ZSH 4.3.1 ZSH ZSH 4.3.2 ZSH ZSH 4.3.3 ZSH ZSH 4.3.4 ZSH ZSH 4.3.5 ZSH ZSH 4.3.6 ZSH ZSH 4.3.7 ZSH ZSH 4.3.8 ZSH ZSH 4.3.9 ZSH ZSH 4.3.10 ZSH ZSH 4.3.11 ZSH ZSH 4.3.12 ZSH ZSH 4.3.13 ZSH ZSH 4.3.14 ZSH ZSH 4.3.15 ZSH ZSH 4.3.16 ZSH ZSH 4.3.17 ZSH ZSH 5.0.0 ZSH ZSH 5.0.1 ZSH ZSH 5.0.2 ZSH ZSH 5.0.3 ZSH ZSH 5.0.4 ZSH ZSH 5.0.5 ZSH ZSH 5.0.6 ZSH ZSH 5.0.7 ZSH ZSH 5.0.8 ZSH ZSH 5.1 ZSH ZSH 5.1.1 ZSH ZSH 5.2 ZSH ZSH 5.3 ZSH ZSH 5.3.1 ZSH ZSH 5.4 ZSH ZSH 5.4.1 ZSH ZSH 5.4.2	179
OS	Canonical Canonical Ubuntu Linux 17.10	1

Common Weakness Enumeration (CWE)

CWE-476 - NULL Pointer Dereference

Nessus

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2018-2_0-0028.NASL
description	An update of {'zsh'} packages of Photon OS has been released.
last seen	2019-02-08
modified	2019-02-07
plugin id	111292
published	2018-07-24
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=111292
title	Photon OS 2.0 : zsh (PhotonOS-PHSA-2018-2.0-0028) (deprecated)
code	# # (C) Tenable Network Security, Inc. # # @DEPRECATED@ # # Disabled on 2/7/2019 # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2018-2.0-0028. The text # itself is copyright (C) VMware, Inc. include("compat.inc"); if (description) { script_id(111292); script_version("1.2"); script_cvs_date("Date: 2019/02/07 18:59:50"); script_cve_id("CVE-2018-7548"); script_name(english:"Photon OS 2.0 : zsh (PhotonOS-PHSA-2018-2.0-0028) (deprecated)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "This plugin has been deprecated."); script_set_attribute(attribute:"description", value: "An update of {'zsh'} packages of Photon OS has been released."); # https://github.com/vmware/photon/wiki/Security-Updates-2-28 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?17a379c5"); script_set_attribute(attribute:"solution", value:"n/a."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-7548"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/24"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:zsh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } exit(0, "This plugin has been deprecated."); include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) \|\| release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux\|OS) 2\.0(\D\|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; pkgs = [ "zsh-5.3.1-5.ph2", "zsh-debuginfo-5.3.1-5.ph2", "zsh-html-5.3.1-5.ph2" ]; foreach (pkg in pkgs) if (rpm_check(release:"PhotonOS-2.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "zsh"); }

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201805-10.NASL
description	The remote host is affected by the vulnerability described in GLSA-201805-10 (Zsh: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Zsh. Please review the CVE identifiers referenced below for details. Impact : A local attacker could execute arbitrary code, escalate privileges, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	110174
published	2018-05-29
reporter	This script is Copyright (C) 2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/110174
title	GLSA-201805-10 : Zsh: Multiple vulnerabilities

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2018-2_0-0028_ZSH.NASL
description	An update of the zsh package has been released.
last seen	2020-03-17
modified	2019-02-07
plugin id	121928
published	2019-02-07
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/121928
title	Photon OS 2.0: Zsh PHSA-2018-2.0-0028

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-3593-1.NASL
description	It was discovered that Zsh incorrectly handled certain enviroment variables. An attacker could possibly use this issue to gain privileged access to the system. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-10070) It was discovered that Zsh incorrectly handled certain inputs. An attacker could possibly use this to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-10071) It was discovered that Zsh incorrectly handled some symbolic links. An attacker could possibly use this to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-10072) It was discovered that Zsh incorrectly handled certain errors. An attacker could possibly use this issue to cause a denial of service. (CVE-2016-10714) It was discovered that Zsh incorrectly handled certain commands. An attacker could possibly use this to execute arbitrary code. (CVE-2017-18205) It was discovered that Zsh incorrectly handled certain symlinks. An attacker could possibly use this to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-18206) It was discovered that Zsh incorrectly handled certain inputs. An attacker could possible use to execute arbitrary code. This issue only affected Ubuntu 17.10. (CVE-2018-7548) It was discovered that Zsh incorrectly handled certain inputs. An attacker could possibly use this to cause a denial of service. (CVE-2018-7549). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	107257
published	2018-03-09
reporter	Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/107257
title	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : zsh vulnerabilities (USN-3593-1)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2018-D2DCDBB051.NASL
description	- avoid crash when copying empty hash table (CVE-2018-7549) - avoid NULL dereference when using ```${(PA)...}``` on an empty array (CVE-2018-7548) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2019-01-03
plugin id	120817
published	2019-01-03
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/120817
title	Fedora 28 : zsh (2018-d2dcdbb051)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2018-9CDF18A850.NASL
description	- avoid crash when copying empty hash table (CVE-2018-7549) - avoid NULL dereference when using ```${(PA)...}``` on an empty array (CVE-2018-7548) - fix buffer overrun in xsymlinks (CVE-2017-18206) - fix NULL dereference in cd (CVE-2017-18205) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2018-03-21
plugin id	108506
published	2018-03-21
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/108506
title	Fedora 26 : zsh (2018-9cdf18a850)

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2019-013-01.NASL
description	New zsh packages are available for Slackware 14.0, 14.1, and 14.2 to fix security issues.
last seen	2020-03-17
modified	2019-01-14
plugin id	121145
published	2019-01-14
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/121145
title	Slackware 14.0 / 14.1 / 14.2 : zsh (SSA:2019-013-01)

NASL family	Amazon Linux Local Security Checks
NASL id	AL2_ALAS-2018-986.NASL
description	NULL dereference in cd in sh compatibility mode under given circumstances In builtin.c in zsh before 5.4, when sh compatibility mode is used, there is a NULL pointer dereference during processing of the cd command with no argument if HOME is not set. (CVE-2017-18205) NULL pointer deref when using ${(PA)...} on an empty array result : In subst.c in zsh through 5.4.2, there is a NULL pointer dereference when using ${(PA)...} on an empty array result. (CVE-2018-7548) Buffer overrun in xsymlinks In utils.c in zsh before 5.4, symlink expansion had a buffer overflow. (CVE-2017-18206) Crash on copying empty hash table In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstrated by typeset -p. (CVE-2018-7549)
last seen	2020-06-01
modified	2020-06-02
plugin id	109139
published	2018-04-18
reporter	This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109139
title	Amazon Linux 2 : zsh (ALAS-2018-986)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2018-019A32A468.NASL
description	- avoid crash when copying empty hash table (CVE-2018-7549) - avoid NULL dereference when using ```${(PA)...}``` on an empty array (CVE-2018-7548) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2018-03-14
plugin id	108306
published	2018-03-14
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/108306
title	Fedora 27 : zsh (2018-019a32a468)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References