Vulnerabilities > CVE-2019-5443 - Uncontrolled Search Path Element vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
haxx
oracle
netapp
CWE-427
nessus

Summary

A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.

Vulnerable Configurations

Part Description Count
Application
Haxx
159
Application
Oracle
11
Application
Netapp
7
OS
Microsoft
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging/Manipulating Configuration File Search Paths
    This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.
  • DLL Search Order Hijacking
    The attacker exploits the functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first in the same directory in which the process binary resides and then in other directories (e.g., System32). Exploitation of this preferential search order can allow an attacker to make the loading process load the attackers' rogue DLL rather than the legitimate DLL. For instance, an attacker with access to the file system may place a malicious ntshrui.dll in the C:\Windows directory. This DLL normally resides in the System32 folder. Process explorer.exe which also resides in C:\Windows, upon trying to load the ntshrui.dll from the System32 folder will actually load the DLL supplied by the attacker simply because of the preferential search order. Since the attacker has placed its malicious ntshrui.dll in the same directory as the loading explorer.exe process, the DLL supplied by the attacker will be found first and thus loaded in lieu of the legitimate DLL. Since explorer.exe is loaded during the boot cycle, the attackers' malware is guaranteed to execute. This attack can be leveraged with many different DLLs and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect DLL had been loaded.

Nessus

  • NASL familyDatabases
    NASL idMYSQL_8_0_18.NASL
    descriptionThe version of MySQL running on the remote host is 8.0.x prior to 8.0.18. It is, therefore, affected by multiple vulnerabilities, including three of the top vulnerabilities below, as noted in the October 2019 Critical Patch Update advisory: - Vulnerabilities in the MySQL Server product of Oracle MySQL (components: Server: C API and Optimizer). Easily exploitable vulnerabilities which allow low privileged attackers with network access via multiple protocols to compromise MySQL Server. Successful exploitation of these vulnerabilities can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2966, CVE-2019-3011) - A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl
    last seen2020-05-08
    modified2019-10-18
    plugin id130027
    published2019-10-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130027
    titleMySQL 8.0.x < 8.0.18 Multiple Vulnerabilities (Oct 2019 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    include('compat.inc');
    
    if (description)
    {
      script_id(130027);
      script_version("1.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/06");
    
      script_cve_id(
        "CVE-2020-2752",
        "CVE-2019-2911",
        "CVE-2019-2914",
        "CVE-2019-2938",
        "CVE-2019-2946",
        "CVE-2019-2957",
        "CVE-2019-2960",
        "CVE-2019-2963",
        "CVE-2019-2966",
        "CVE-2019-2967",
        "CVE-2019-2968",
        "CVE-2019-2974",
        "CVE-2019-2982",
        "CVE-2019-2991",
        "CVE-2019-2993",
        "CVE-2019-2997",
        "CVE-2019-2998",
        "CVE-2019-3004",
        "CVE-2019-3009",
        "CVE-2019-3011",
        "CVE-2019-3018",
        "CVE-2019-5443",
        "CVE-2020-2580",
        "CVE-2020-2589"
      );
      script_bugtraq_id(108881);
      script_xref(name:"IAVA", value:"2020-A-0143");
    
      script_name(english:"MySQL 8.0.x < 8.0.18 Multiple Vulnerabilities (Oct 2019 CPU)");
      script_summary(english:"Checks the version of MySQL server.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote database server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of MySQL running on the remote host is 8.0.x prior 
      to 8.0.18. It is, therefore, affected by multiple vulnerabilities, including three of the top vulnerabilities below,
      as noted in the October 2019 Critical Patch Update advisory:
      
        - Vulnerabilities in the MySQL Server product of Oracle MySQL (components: Server: C API and Optimizer). Easily 
      exploitable vulnerabilities which allow low privileged attackers with network access via multiple protocols to 
      compromise MySQL Server. Successful exploitation of these vulnerabilities can result in unauthorized ability to cause 
      a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2966, CVE-2019-3011)
    
        - A non-privileged user or program can put code and a config file in a known non-privileged path (under 
      C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl 'engine') on invocation. 
      If that curl is invoked by a privileged user it can do anything it wants. (CVE-2019-5443)
    
    Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
    number.");
      # https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-18.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?97fbbe00");
      # https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b370bc74");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to MySQL version 8.0.18 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2991");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/18");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Databases");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("mysql_version.nasl", "mysql_login.nasl");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports("Services/mysql", 3306);
    
      exit(0);
    }
    
    include('mysql_version.inc');
    mysql_check_version(fixed:'8.0.18', min:'8.0.0', severity:SECURITY_WARNING);
    
    
  • NASL familyMisc.
    NASL idORACLE_ENTERPRISE_MANAGER_OPS_CENTER_OCT_2019_CPU.NASL
    descriptionThe version of Oracle Enterprise Manager Ops Center installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - An unspecified vulnerability in the Networking (cURL) component of Oracle Enterprise Manager Ops Center. An easy to exploit vulnerability could allow an unauthenticated attacker with network access via HTTPS to compromise Enterprise Manager Ops Center. A successful attack of this vulnerability can result in takeover of Enterprise Manager Ops Center. (CVE-2019-5443) - An unspecified vulnerability in the Networking (jQuery) component of Oracle Enterprise Manager Ops Center. A difficult to exploit vulnerability could allow a low privileged attacker with logon to the infrastructure where Enterprise Manager Ops Center executes to compromise Enterprise Manager Ops Center. A successful attack of this vulnerability can result in unauthorized access of Enterprise Manager Ops Center data. (CVE-2019-11358) - An unspecified vulnerability in the OS Provisioning (Apache HTTP Server) component of Oracle Enterprise Manager Ops Center. An easily exploitable vulnerability could allow an unauthenticated attacker with network access via multiple protocols to compromise Enterprise Manager Ops Center. A successful attack of this vulnerability can result in unauthorized access of Enterprise Manager Ops Center data. (CVE-2019-9517)
    last seen2020-05-08
    modified2020-01-17
    plugin id133057
    published2020-01-17
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133057
    titleOracle Enterprise Manager Ops Center (Oct 2019 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(133057);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/06");
    
      script_cve_id("CVE-2019-5443", "CVE-2019-9517", "CVE-2019-11358");
      script_bugtraq_id(108023, 108881);
      script_xref(name:"IAVA", value:"2019-A-0384");
      script_xref(name:"IAVA", value:"2020-A-0150");
    
      script_name(english:"Oracle Enterprise Manager Ops Center (Oct 2019 CPU)");
      script_summary(english:"Checks for the patch ID.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An enterprise management application installed on the remote host is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle Enterprise Manager Ops Center installed on
    the remote host is affected by multiple vulnerabilities in
    Enterprise Manager Base Platform component:
    
      - An unspecified vulnerability in the Networking (cURL)
        component of Oracle Enterprise Manager Ops Center. 
        An easy to exploit vulnerability could allow an
        unauthenticated attacker with network access via HTTPS
        to compromise Enterprise Manager Ops Center.
        A successful attack of this vulnerability can result in
        takeover of Enterprise Manager Ops Center. (CVE-2019-5443)
    
      - An unspecified vulnerability in the Networking (jQuery)
        component of Oracle Enterprise Manager Ops Center.
        A difficult to exploit vulnerability could allow a low
        privileged attacker with logon to the infrastructure where
        Enterprise Manager Ops Center executes to compromise
        Enterprise Manager Ops Center. A successful attack of this
        vulnerability can result in unauthorized access of Enterprise
        Manager Ops Center data. (CVE-2019-11358)
    
      - An unspecified vulnerability in the OS Provisioning
        (Apache HTTP Server) component of Oracle Enterprise
        Manager Ops Center. An easily exploitable vulnerability
        could allow an unauthenticated attacker with network
        access via multiple protocols to compromise Enterprise
        Manager Ops Center. A successful attack of this
        vulnerability can result in unauthorized access of
        Enterprise Manager Ops Center data. (CVE-2019-9517)");
      # https://www.oracle.com/security-alerts/cpuoct2019.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2c94f8e4");
      # https://www.oracle.com/security-alerts/cpuoct2019verbose.html#EM
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?17ac9b74");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the October 2019
    Oracle Critical Patch Update advisory.");
      script_set_attribute(attribute:"agent", value:"unix");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5443");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/17");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager_ops_center");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_enterprise_manager_ops_center_installed.nbin");
      script_require_keys("installed_sw/Oracle Enterprise Manager Ops Center");
    
      exit(0);
    }
    
    include('global_settings.inc');
    include('misc_func.inc');
    include('install_func.inc');
    
    get_kb_item_or_exit('Host/local_checks_enabled');
    app_name = 'Oracle Enterprise Manager Ops Center';
    
    install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
    version = install['version'];
    version_full = install['Full Patch Version'];
    path = install['path'];
    patch_version = install['Patch Version'];
    
    
    patchid = NULL;
    fix = NULL;
    
    if (version_full =~ "^12\.3\.3\.")
    {
      patchid = '30295408';
      fix = '1831';
    } 
    else if (version_full =~ "^12\.4\.0\.")
    {
      patchid = '30295414';
      fix = '1400';
    }
    
    if (isnull(patchid))
      audit(AUDIT_HOST_NOT, 'affected');
    
    if (ver_compare(ver:patch_version, fix:fix, strict:FALSE) != -1)
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, version_full, path);
    
    report = 
      '\n Path                : ' + path + 
      '\n Version             : ' + version + 
      '\n Ops Agent Version   : ' + version_full + 
      '\n Current Patch       : ' + patch_version + 
      '\n Fixed Patch Version : ' + fix +
      '\n Fix                 : ' + patchid;
    
    security_report_v4(extra:report, severity:SECURITY_WARNING, port:0);
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_FC91F2EFFD7B11E9A1C7B499BAEBFEAF.NASL
    descriptionOracle reports : This Critical Patch Update contains 31 new security fixes for Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
    last seen2020-06-01
    modified2020-06-02
    plugin id130496
    published2019-11-04
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130496
    titleFreeBSD : MySQL -- Multiple vulerabilities (fc91f2ef-fd7b-11e9-a1c7-b499baebfeaf)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2019 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130496);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/17");
    
      script_cve_id("CVE-2019-1543", "CVE-2019-2910", "CVE-2019-2911", "CVE-2019-2914", "CVE-2019-2920", "CVE-2019-2922", "CVE-2019-2923", "CVE-2019-2924", "CVE-2019-2938", "CVE-2019-2946", "CVE-2019-2948", "CVE-2019-2950", "CVE-2019-2957", "CVE-2019-2960", "CVE-2019-2963", "CVE-2019-2966", "CVE-2019-2967", "CVE-2019-2968", "CVE-2019-2969", "CVE-2019-2974", "CVE-2019-2982", "CVE-2019-2991", "CVE-2019-2993", "CVE-2019-2997", "CVE-2019-2998", "CVE-2019-3003", "CVE-2019-3004", "CVE-2019-3009", "CVE-2019-3011", "CVE-2019-3018", "CVE-2019-5443");
    
      script_name(english:"FreeBSD : MySQL -- Multiple vulerabilities (fc91f2ef-fd7b-11e9-a1c7-b499baebfeaf)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Oracle reports :
    
    This Critical Patch Update contains 31 new security fixes for Oracle
    MySQL. 6 of these vulnerabilities may be remotely exploitable without
    authentication, i.e., may be exploited over a network without
    requiring user credentials."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.oracle.com/security-alerts/cpuoct2019.html"
      );
      # https://vuxml.freebsd.org/freebsd/fc91f2ef-fd7b-11e9-a1c7-b499baebfeaf.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?9cdc8bfa"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1543");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mariadb101-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mariadb102-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mariadb103-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mariadb104-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mariadb55-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mysql56-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mysql57-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mysql80-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:percona55-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:percona56-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:percona57-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/11/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/04");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"mariadb55-server<5.5.66")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"mariadb101-server<10.1.42")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"mariadb102-server<10.2.28")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"mariadb103-server<10.3.19")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"mariadb104-server<10.4.9")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"mysql56-server<5.6.46")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"mysql57-server<5.7.28")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"mysql80-server<8.0.18")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"percona55-server<5.5.66")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"percona56-server<5.6.46")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"percona57-server<5.7.28")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDatabases
    NASL idMYSQL_5_7_28.NASL
    descriptionThe version of MySQL running on the remote host is 5.7.x prior to 5.7.28. It is, therefore, affected by multiple vulnerabilities, including three of the top vulnerabilities below, as noted in the October 2019 Critical Patch Update advisory: - Vulnerabilities in the MySQL Server product of Oracle MySQL (component: Server: Optimizer and PS). Easily exploitable vulnerabilities which allow low privileged attackers with network access via multiple protocols to compromise MySQL Server. Successful exploitation of these vulnerabilities can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2946, CVE-2019-2974) - A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl
    last seen2020-05-08
    modified2019-10-18
    plugin id130026
    published2019-10-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130026
    titleMySQL 5.7.x < 5.7.28 Multiple Vulnerabilities (Oct 2019 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    include('compat.inc');
    
    if (description)
    {
      script_id(130026);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/06");
    
      script_cve_id(
        "CVE-2020-2752",
        "CVE-2019-2910",
        "CVE-2019-2911",
        "CVE-2019-2914",
        "CVE-2019-2922",
        "CVE-2019-2923",
        "CVE-2019-2924",
        "CVE-2019-2938",
        "CVE-2019-2946",
        "CVE-2019-2960",
        "CVE-2019-2974",
        "CVE-2019-2993",
        "CVE-2019-5443"
      );
      script_bugtraq_id(108881);
      script_xref(name:"IAVA", value:"2020-A-0143");
    
      script_name(english:"MySQL 5.7.x < 5.7.28 Multiple Vulnerabilities (Oct 2019 CPU)");
      script_summary(english:"Checks the version of MySQL server.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote database server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of MySQL running on the remote host is 5.7.x prior to 5.7.28. It is, therefore, affected by multiple 
    vulnerabilities, including three of the top vulnerabilities below, as noted in the October 2019 Critical Patch Update 
    advisory:
      
      - Vulnerabilities in the MySQL Server product of Oracle MySQL (component: Server: Optimizer and PS). Easily 
      exploitable vulnerabilities which allow low privileged attackers with network access via multiple protocols to 
      compromise MySQL Server. Successful exploitation of these vulnerabilities can result in unauthorized ability to cause
      a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2946, CVE-2019-2974) 
    
      - A non-privileged user or program can put code and a config file in a known non-privileged path (under 
      C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl 'engine') on invocation. 
      If that curl is invoked by a privileged user it can do anything it wants. (CVE-2019-5443)
    
    Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
    number.");
      # https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-28.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?41ee55d1");
      # https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b370bc74");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to MySQL version 5.7.28 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2924");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/18");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Databases");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("mysql_version.nasl", "mysql_login.nasl");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports("Services/mysql", 3306);
    
      exit(0);
    }
    
    include('mysql_version.inc');
    mysql_check_version(fixed:'5.7.28', min:'5.7.0', severity:SECURITY_WARNING);