Vulnerabilities > CVE-2019-14866
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 15 | |
OS | 2 |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4176-1.NASL description Thomas Habets discovered that GNU cpio incorrectly handled certain inputs. An attacker could possibly use this issue to access sensitive information. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 130622 published 2019-11-07 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130622 title Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : cpio vulnerability (USN-4176-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-4176-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(130622); script_version("1.4"); script_cvs_date("Date: 2020/01/15"); script_cve_id("CVE-2019-14866"); script_xref(name:"USN", value:"4176-1"); script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : cpio vulnerability (USN-4176-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Thomas Habets discovered that GNU cpio incorrectly handled certain inputs. An attacker could possibly use this issue to access sensitive information. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/4176-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected cpio package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cpio"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/07"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04|14\.04|16\.04|18\.04|19\.04|19\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04 / 16.04 / 18.04 / 19.04 / 19.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"16.04", pkgname:"cpio", pkgver:"2.11+dfsg-5ubuntu1.1")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"cpio", pkgver:"2.12+dfsg-6ubuntu0.18.04.1")) flag++; if (ubuntu_check(osver:"19.04", pkgname:"cpio", pkgver:"2.12+dfsg-6ubuntu0.19.04.1")) flag++; if (ubuntu_check(osver:"19.10", pkgname:"cpio", pkgver:"2.12+dfsg-9ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cpio"); }
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_F59AF30807F311EA8C56F8B156B6DCC8.NASL description Sergey Poznyakoff reports : This stable release fixes several potential vulnerabilities CVE-2015-1197: cpio, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive. CVE-2016-2037: The cpio_safer_name_suffix function in util.c allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file. CVE-2019-14866: Improper input validation when writing tar header fields leads to unexpected tar generation. last seen 2020-06-01 modified 2020-06-02 plugin id 131109 published 2019-11-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131109 title FreeBSD : GNU cpio -- multiple vulnerabilities (f59af308-07f3-11ea-8c56-f8b156b6dcc8) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2687.NASL description According to the version of the cpio package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was discovered cpio does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.(CVE-2019-14866) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-12-23 plugin id 132354 published 2019-12-23 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132354 title EulerOS 2.0 SP5 : cpio (EulerOS-SA-2019-2687) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-1_0-0267_CPIO.NASL description An update of the cpio package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 133302 published 2020-01-29 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133302 title Photon OS 1.0: Cpio PHSA-2020-1.0-0267 NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-3059-1.NASL description This update for cpio fixes the following issues : CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131309 published 2019-11-26 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131309 title SUSE SLED15 / SLES15 Security Update : cpio (SUSE-SU-2019:3059-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1056.NASL description According to the version of the cpio package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - cpio does not properly validate the values written in the header of a TAR file through the to_oct() function. When creating a TAR file from a list of files and one of those is another TAR file with a big size, cpio will generate the resulting file with the content extracted from the input one. This leads to unexpected results as the newly generated TAR file could have files with permissions the owner of the input TAR file did not have or in paths he did not have access to.(CVE-2019-14866) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 132810 published 2020-01-13 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132810 title EulerOS Virtualization for ARM 64 3.0.5.0 : cpio (EulerOS-SA-2020-1056) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1522.NASL description According to the version of the cpio package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - It was discovered cpio does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.(CVE-2019-14866) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2020-05-01 plugin id 136225 published 2020-05-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136225 title EulerOS Virtualization for ARM 64 3.0.2.0 : cpio (EulerOS-SA-2020-1522) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-3_0-0053_CPIO.NASL description An update of the cpio package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 133467 published 2020-02-04 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133467 title Photon OS 3.0: Cpio PHSA-2020-3.0-0053 NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1375.NASL description According to the version of the cpio package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.(CVE-2019-14866) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2020-04-15 plugin id 135504 published 2020-04-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135504 title EulerOS 2.0 SP3 : cpio (EulerOS-SA-2020-1375) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1002.NASL description According to the version of the cpio package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - cpio does not properly validate the values written in the header of a TAR file through the to_oct() function. When creating a TAR file from a list of files and one of those is another TAR file with a big size, cpio will generate the resulting file with the content extracted from the input one. This leads to unexpected results as the newly generated TAR file could have files with permissions the owner of the input TAR file did not have or in paths he did not have access to.(CVE-2019-14866) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-03 modified 2020-01-02 plugin id 132595 published 2020-01-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132595 title EulerOS 2.0 SP8 : cpio (EulerOS-SA-2020-1002) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-3064-1.NASL description This update for cpio fixes the following issues : CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131312 published 2019-11-26 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131312 title SUSE SLED12 / SLES12 Security Update : cpio (SUSE-SU-2019:3064-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1981.NASL description A vulnerability was discovered in the cpio package. CVE-2019-14866 It is possible for an attacker to create a file so when backed up with cpio can generate arbitrary files in the resulting tar archive. When the backup is restored the file is then created with arbitrary permissions. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 130522 published 2019-11-06 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130522 title Debian DLA-1981-1 : cpio security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2593.NASL description This update for cpio fixes the following issues : - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 131536 published 2019-12-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131536 title openSUSE Security Update : cpio (openSUSE-2019-2593) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-2_0-0202_CPIO.NASL description An update of the cpio package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 133262 published 2020-01-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133262 title Photon OS 2.0: Cpio PHSA-2020-2.0-0202 NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2596.NASL description This update for cpio fixes the following issues : - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 131539 published 2019-12-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131539 title openSUSE Security Update : cpio (openSUSE-2019-2596)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14866
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14866
- https://lists.debian.org/debian-lts-announce/2023/06/msg00007.html
- https://lists.debian.org/debian-lts-announce/2023/06/msg00007.html
- https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html
- https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html
- https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html
- https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html