Vulnerabilities > CVE-2019-3500 - Information Exposure Through Log Files vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic Authentication username and password in a file, which might allow local users to obtain sensitive information by reading this file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 2 | |
| OS | 3 | |
| OS | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Fuzzing and observing application log data/errors for application mapping An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1636.NASL description It was discovered that aria2 (the lightweight command-line download utility) can store passed user credentials in a log file when using the --log option. This might allow local users to obtain sensitive information by reading this file. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 121313 published 2019-01-23 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121313 title Debian DLA-1636-1 : aria2 security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1636-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(121313); script_version("1.3"); script_cvs_date("Date: 2019/04/02 21:54:16"); script_cve_id("CVE-2019-3500"); script_name(english:"Debian DLA-1636-1 : aria2 security update"); script_summary(english:"Checks dpkg output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was discovered that aria2 (the lightweight command-line download utility) can store passed user credentials in a log file when using the --log option. This might allow local users to obtain sensitive information by reading this file. For Debian 8 'Jessie', this problem has been fixed in version 1.18.8-1+deb8u1. We recommend that you upgrade your aria2 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2019/01/msg00012.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/aria2" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected aria2 package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:aria2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/02"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/23"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"aria2", reference:"1.18.8-1+deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:deb_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3965-1.NASL description Dhiraj Mishra discovered that aria2 incorrectly stored authentication information. A local attacker could possibly use this issue to obtain credentials. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124676 published 2019-05-07 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124676 title Ubuntu 18.10 / 19.04 : aria2 vulnerability (USN-3965-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3965-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(124676); script_version("1.3"); script_cvs_date("Date: 2019/09/18 12:31:49"); script_cve_id("CVE-2019-3500"); script_xref(name:"USN", value:"3965-1"); script_name(english:"Ubuntu 18.10 / 19.04 : aria2 vulnerability (USN-3965-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Dhiraj Mishra discovered that aria2 incorrectly stored authentication information. A local attacker could possibly use this issue to obtain credentials. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3965-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected aria2 and / or libaria2-0 packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:aria2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libaria2-0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/02"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(18\.10|19\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 18.10 / 19.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"18.10", pkgname:"aria2", pkgver:"1.34.0-2ubuntu0.1")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"libaria2-0", pkgver:"1.34.0-2ubuntu0.1")) flag++; if (ubuntu_check(osver:"19.04", pkgname:"aria2", pkgver:"1.34.0-3ubuntu0.1")) flag++; if (ubuntu_check(osver:"19.04", pkgname:"libaria2-0", pkgver:"1.34.0-3ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "aria2 / libaria2-0"); }NASL family Fedora Local Security Checks NASL id FEDORA_2019-248AD990B4.NASL description Fix Password leak for HTTP based authentication CVE-2019-3500 (rhbz #1663991 #1663992 #1663993) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124479 published 2019-05-02 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124479 title Fedora 30 : aria2 (2019-248ad990b4) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-50.NASL description This update for aria2 fixes the following security issue : - CVE-2019-3500: Metadata and potential password leaks via --log= (boo#1120488) last seen 2020-05-31 modified 2019-01-14 plugin id 121156 published 2019-01-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121156 title openSUSE Security Update : aria2 (openSUSE-2019-50)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/150994/aria21331-disclose.txt |
| id | PACKETSTORM:150994 |
| last seen | 2019-01-03 |
| published | 2019-01-02 |
| reporter | Mishra Dhiraj |
| source | https://packetstormsecurity.com/files/150994/aria2-1.33.1-Password-Disclosure.html |
| title | aria2 1.33.1 Password Disclosure |
References
- https://github.com/aria2/aria2/issues/1329
- https://lists.debian.org/debian-lts-announce/2019/01/msg00012.html
- https://usn.ubuntu.com/3965-1/
- https://lists.debian.org/debian-lts-announce/2021/12/msg00039.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MUUYDELHRLVE2AFNVR3OJ6ILUKVLY4B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/532M22TAOOIY3J4XX4R7BLZHXJRUSBQ2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U5OLPTVYHJZJ2MVEXJCNPXBSFPVPE4XX/