Vulnerabilities > CVE-2020-1752 - Use After Free vulnerability in multiple products
Attack vector
LOCAL Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-2_0-0248_GLIBC.NASL description An update of the glibc package has been released. last seen 2020-06-10 modified 2020-06-06 plugin id 137198 published 2020-06-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137198 title Photon OS 2.0: Glibc PHSA-2020-2.0-0248 code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2020-2.0-0248. The text # itself is copyright (C) VMware, Inc. include('compat.inc'); if (description) { script_id(137198); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/08"); script_cve_id("CVE-2020-1752"); script_name(english:"Photon OS 2.0: Glibc PHSA-2020-2.0-0248"); script_set_attribute(attribute:"synopsis", value: "The remote PhotonOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "An update of the glibc package has been released."); script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-2-248.md"); script_set_attribute(attribute:"solution", value: "Update the affected Linux packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1752"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"patch_publication_date", value:"2020/06/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/06"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:glibc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 2\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"glibc-2.26-18.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"glibc-devel-2.26-18.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"glibc-i18n-2.26-18.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"glibc-iconv-2.26-18.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"glibc-lang-2.26-18.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"glibc-nscd-2.26-18.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"glibc-tools-2.26-18.ph2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0832-1.NASL description This update for glibc fixes the following issues : CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). CVE-2020-1751: Fixed an array overflow in backtrace for PowerPC (bsc#1158996). CVE-2020-10029: Fixed a stack-based buffer overflow during range reduction (bsc#1165784). Use last seen 2020-05-08 modified 2020-04-02 plugin id 135165 published 2020-04-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135165 title SUSE SLES12 Security Update : glibc (SUSE-SU-2020:0832-1) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-1_0-0298_GLIBC.NASL description An update of the glibc package has been released. last seen 2020-06-12 modified 2020-06-10 plugin id 137319 published 2020-06-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137319 title Photon OS 1.0: Glibc PHSA-2020-1.0-0298 NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-467.NASL description This update for glibc fixes the following issues : - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-05-22 modified 2020-04-07 plugin id 135264 published 2020-04-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135264 title openSUSE Security Update : glibc (openSUSE-2020-467) NASL family Fedora Local Security Checks NASL id FEDORA_2020-244EFC27AF.NASL description This update incorporates fixes from the upstream glibc 2.30 stable release branch, including 3 fixes for medium severity security vulnerabilities. (CVE-2020-10029, CVE-2020-1752, CVE-2020-1751) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2020-04-06 plugin id 135209 published 2020-04-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135209 title Fedora 31 : glibc (2020-244efc27af) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1599.NASL description According to the versions of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.(CVE-2020-1752) - The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.(CVE-2020-10029) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-06 modified 2020-06-02 plugin id 137017 published 2020-06-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137017 title EulerOS 2.0 SP5 : glibc (EulerOS-SA-2020-1599) NASL family Fedora Local Security Checks NASL id FEDORA_2020-7F625C5EA8.NASL description This update incorporates fixes from the upstream glibc 2.29 stable release branch, including 3 fixes for medium severity security vulnerabilities. (CVE-2020-10029, CVE-2020-1752, CVE-2020-1751) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2020-04-10 plugin id 135372 published 2020-04-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135372 title Fedora 30 : glibc (2020-7f625c5ea8)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752
- https://sourceware.org/bugzilla/show_bug.cgi?id=25414
- https://security.netapp.com/advisory/ntap-20200511-0005/
- https://usn.ubuntu.com/4416-1/
- https://security.gentoo.org/glsa/202101-20
- https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
- https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=ddc650e9b3dc916eab417ce9f79e67337b05035c
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E