ID CVE-2017-2623 Type cve Reporter NVD Modified 2018-10-05T10:48:16
Description
It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.
{"id": "CVE-2017-2623", "bulletinFamily": "NVD", "title": "CVE-2017-2623", "description": "It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.", "published": "2018-07-27T14:29:00", "modified": "2018-10-05T10:48:16", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2623", "reporter": "NVD", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2623", "https://access.redhat.com/errata/RHSA-2017:0444", "http://www.securityfocus.com/bid/96558"], "cvelist": ["CVE-2017-2623"], "type": "cve", "lastseen": "2018-10-06T10:51:39", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": [], "cvelist": ["CVE-2017-2623"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.", "edition": 1, "enchantments": {"score": {"modified": "2018-07-30T13:50:27", "value": 5.0, "vector": "NONE"}}, "hash": "8b29c126bb8c480bf4dec153d0a9686b7a36a414bd10e3f6ff97270f32498673", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "a751aa7907e75fb995a76f3c34a54629", "key": "description"}, {"hash": "f75843846c4e51a5a16435a854bab6ed", "key": "references"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "daabc1521cb5432205dc971a9a549add", "key": "cvelist"}, {"hash": "ec17915408992c8319775232fa21e8af", "key": "published"}, {"hash": "ad0f9c7f0c1c3993de5ab5f32b8c1f42", "key": "title"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "1a2a4121fdf5dd10ffb44143bde958dd", "key": "modified"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "3a752d79e52687f3051ce997f9569d32", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2623", "id": "CVE-2017-2623", "lastseen": "2018-07-30T13:50:27", "modified": "2018-07-28T21:29:02", "objectVersion": "1.3", "published": "2018-07-27T14:29:00", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2623", "https://access.redhat.com/errata/RHSA-2017:0444", "http://www.securityfocus.com/bid/96558"], "reporter": "NVD", "scanner": [], "title": "CVE-2017-2623", "type": "cve", "viewCount": 0}, "differentElements": ["cvss", "modified", "cpe"], "edition": 1, "lastseen": "2018-07-30T13:50:27"}], "edition": 2, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "c654f52b615aca356299b0aff106d869"}, {"key": "cvelist", "hash": "daabc1521cb5432205dc971a9a549add"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "a751aa7907e75fb995a76f3c34a54629"}, {"key": "href", "hash": "3a752d79e52687f3051ce997f9569d32"}, {"key": "modified", "hash": "e79ba2bff3e67330c86bdd612155f745"}, {"key": "published", "hash": "ec17915408992c8319775232fa21e8af"}, {"key": "references", "hash": "f75843846c4e51a5a16435a854bab6ed"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "ad0f9c7f0c1c3993de5ab5f32b8c1f42"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "2db755d6065ee29836514ee49276c1176566a42530aff13d6f6fab1bf7e921cc", "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE", "modified": "2018-10-06T10:51:39"}, "vulnersScore": 5.0}, "objectVersion": "1.3", "cpe": ["cpe:/o:redhat:enterprise_linux:7.0"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"nessus": [{"lastseen": "2018-10-10T08:51:04", "references": ["https://bodhi.fedoraproject.org/updates/FEDORA-2017-003fa5648c"], "pluginID": "97839", "description": "https://github.com/projectatomic/rpm-ostree/releases/tag/v2017.3\n\nThis release includes a fix for [CVE-2017-2623](https://bugzilla.redhat.com/show_bug.cgi?id=1422157).\n\nThere are a few new features, such as `systemctl reload rpm-ostreed` now being supported. Some bugfixes such as memory leak fixes. Besides that, there's a lot of internal refactoring going on in preparation for work on local RPM installation.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2017-03-21T00:00:00", "title": "Fedora 25 : rpm-ostree (2017-003fa5648c)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2623"], "modified": "2018-10-09T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:rpm-ostree", "cpe:/o:fedoraproject:fedora:25"], "id": "FEDORA_2017-003FA5648C.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=97839", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-003fa5648c.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97839);\n script_version(\"3.2\");\n script_cvs_date(\"Date: 2018/10/09 17:56:08\");\n\n script_cve_id(\"CVE-2017-2623\");\n script_xref(name:\"FEDORA\", value:\"2017-003fa5648c\");\n\n script_name(english:\"Fedora 25 : rpm-ostree (2017-003fa5648c)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"https://github.com/projectatomic/rpm-ostree/releases/tag/v2017.3\n\nThis release includes a fix for\n[CVE-2017-2623](https://bugzilla.redhat.com/show_bug.cgi?id=1422157).\n\nThere are a few new features, such as `systemctl reload rpm-ostreed`\nnow being supported. Some bugfixes such as memory leak fixes. Besides\nthat, there's a lot of internal refactoring going on in preparation\nfor work on local RPM installation.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-003fa5648c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rpm-ostree package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rpm-ostree\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"rpm-ostree-2017.3-2.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rpm-ostree\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-10T08:46:41", "references": ["http://rhn.redhat.com/errata/RHSA-2017-0444.html", "https://www.redhat.com/security/data/cve/CVE-2017-2623.html"], "pluginID": "97548", "description": "An update for rpm-ostree and rpm-ostree-client is now available for Red Hat Enterprise Linux Atomic Host 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe rpm-ostree tool binds together the RPM packaging model with the OSTree model of bootable file system trees. It provides commands which can be used both on client systems as well as server-side composes.\nThe rpm-ostree-client package provides commands usable on client systems to upgrade and rollback.\n\nThe following packages have been upgraded to a later upstream version:\nrpm-ostree (2017.1), rpm-ostree-client (2017.1). (BZ#1416089)\n\nSecurity Fix(es) :\n\n* It was discovered that rpm-ostree and rpm-ostree-client fail to properly check GPG signatures on packages when doing layering.\nPackages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default. (CVE-2017-2623)\n\nThis issue was discovered by Colin Walters (Red Hat).", "edition": 6, "reporter": "Tenable", "published": "2017-03-06T00:00:00", "title": "RHEL 7 : rpm-ostree and rpm-ostree-client (RHSA-2017:0444)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2623"], "modified": "2018-10-09T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:rpm-ostree-client", "p-cpe:/a:redhat:enterprise_linux:rpm-ostree-debuginfo", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:rpm-ostree", "p-cpe:/a:redhat:enterprise_linux:rpm-ostree-client-debuginfo"], "id": "REDHAT-RHSA-2017-0444.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=97548", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:0444. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97548);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2018/10/09 17:56:08\");\n\n script_cve_id(\"CVE-2017-2623\");\n script_xref(name:\"RHSA\", value:\"2017:0444\");\n\n script_name(english:\"RHEL 7 : rpm-ostree and rpm-ostree-client (RHSA-2017:0444)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for rpm-ostree and rpm-ostree-client is now available for\nRed Hat Enterprise Linux Atomic Host 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe rpm-ostree tool binds together the RPM packaging model with the\nOSTree model of bootable file system trees. It provides commands which\ncan be used both on client systems as well as server-side composes.\nThe rpm-ostree-client package provides commands usable on client\nsystems to upgrade and rollback.\n\nThe following packages have been upgraded to a later upstream version:\nrpm-ostree (2017.1), rpm-ostree-client (2017.1). (BZ#1416089)\n\nSecurity Fix(es) :\n\n* It was discovered that rpm-ostree and rpm-ostree-client fail to\nproperly check GPG signatures on packages when doing layering.\nPackages with unsigned or badly signed content could fail to be\nrejected as expected. This issue is partially mitigated on RHEL Atomic\nHost, where certificate pinning is used by default. (CVE-2017-2623)\n\nThis issue was discovered by Colin Walters (Red Hat).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2017-0444.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2017-2623.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rpm-ostree\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rpm-ostree-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rpm-ostree-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rpm-ostree-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:0444\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"rpm-ostree-2017.1-5.atomic.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"rpm-ostree-client-2017.1-6.atomic.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"rpm-ostree-client-debuginfo-2017.1-6.atomic.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"rpm-ostree-debuginfo-2017.1-5.atomic.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rpm-ostree / rpm-ostree-client / rpm-ostree-client-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-10T08:53:36", "references": ["https://bodhi.fedoraproject.org/updates/FEDORA-2017-788129b61c"], "pluginID": "97867", "description": "https://github.com/projectatomic/rpm-ostree/releases/tag/v2017.3\n\nThis release includes a fix for [CVE-2017-2623](https://bugzilla.redhat.com/show_bug.cgi?id=1422157).\n\nThere are a few new features, such as `systemctl reload rpm-ostreed` now being supported. Some bugfixes such as memory leak fixes. Besides that, there's a lot of internal refactoring going on in preparation for work on local RPM installation.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2017-03-22T00:00:00", "title": "Fedora 24 : rpm-ostree (2017-788129b61c)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2623"], "modified": "2018-10-09T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:rpm-ostree", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2017-788129B61C.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=97867", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-788129b61c.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97867);\n script_version(\"3.2\");\n script_cvs_date(\"Date: 2018/10/09 17:56:08\");\n\n script_cve_id(\"CVE-2017-2623\");\n script_xref(name:\"FEDORA\", value:\"2017-788129b61c\");\n\n script_name(english:\"Fedora 24 : rpm-ostree (2017-788129b61c)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"https://github.com/projectatomic/rpm-ostree/releases/tag/v2017.3\n\nThis release includes a fix for\n[CVE-2017-2623](https://bugzilla.redhat.com/show_bug.cgi?id=1422157).\n\nThere are a few new features, such as `systemctl reload rpm-ostreed`\nnow being supported. Some bugfixes such as memory leak fixes. Besides\nthat, there's a lot of internal refactoring going on in preparation\nfor work on local RPM installation.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-788129b61c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rpm-ostree package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rpm-ostree\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"rpm-ostree-2017.3-2.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rpm-ostree\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2018-10-09T12:33:47", "references": ["https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TBNXUFWI3POVR7RCY4HLNAVB3XRE5OOT", "2017-788129b61c"], "pluginID": "1361412562310872511", "description": "Check the version of rpm-ostree", "edition": 4, "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "published": "2017-03-21T00:00:00", "title": "Fedora Update for rpm-ostree FEDORA-2017-788129b61c", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2623"], "modified": "2018-10-09T00:00:00", "id": "OPENVAS:1361412562310872511", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872511", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rpm-ostree FEDORA-2017-788129b61c\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872511\");\n script_version(\"$Revision: 11790 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-09 10:36:59 +0200 (Tue, 09 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-21 05:56:39 +0100 (Tue, 21 Mar 2017)\");\n script_cve_id(\"CVE-2017-2623\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for rpm-ostree FEDORA-2017-788129b61c\");\n\n script_tag(name: \"summary\", value: \"Check the version of rpm-ostree\");\n\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of \n detect NVT and check if the version is vulnerable or not.\");\n\n script_tag(name: \"insight\", value: \"rpm-ostree is a hybrid image/package system. \n It supports 'composing' packages on a build server into an OSTree repository, \n which can then be replicated by client systems with atomic upgrades. \n Additionally, unlike many 'pure' image systems, with rpm-ostree each client \n system can layer on additional packages, providing a 'best of both worlds' \n approach. \");\n\n script_tag(name: \"affected\", value: \"rpm-ostree on Fedora 24\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"FEDORA\", value: \"2017-788129b61c\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TBNXUFWI3POVR7RCY4HLNAVB3XRE5OOT\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"rpm-ostree\", rpm:\"rpm-ostree~2017.3~2.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-09T12:33:51", "references": ["https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N3XI7MN7SO2ENMXU3EJNVNWKSLVJZTEC", "2017-003fa5648c"], "pluginID": "1361412562310872508", "description": "Check the version of rpm-ostree", "edition": 4, "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "published": "2017-03-21T00:00:00", "title": "Fedora Update for rpm-ostree FEDORA-2017-003fa5648c", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2623"], "modified": "2018-10-09T00:00:00", "id": "OPENVAS:1361412562310872508", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872508", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rpm-ostree FEDORA-2017-003fa5648c\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872508\");\n script_version(\"$Revision: 11790 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-09 10:36:59 +0200 (Tue, 09 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-21 05:56:36 +0100 (Tue, 21 Mar 2017)\");\n script_cve_id(\"CVE-2017-2623\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_name(\"Fedora Update for rpm-ostree FEDORA-2017-003fa5648c\");\n\n script_tag(name: \"summary\", value: \"Check the version of rpm-ostree\");\n\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of \n detect NVT and check if the version is vulnerable or not.\");\n\n script_tag(name: \"insight\", value: \"rpm-ostree is a hybrid image/package system. \n It supports 'composing' packages on a build server into an OSTree repository, \n which can then be replicated by client systems with atomic upgrades. \n Additionally, unlike many 'pure' image systems, with rpm-ostree each client \n system can layer on additional packages, providing a 'best of both worlds' \n approach. \");\n\n script_tag(name: \"affected\", value: \"rpm-ostree on Fedora 25\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"FEDORA\", value: \"2017-003fa5648c\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N3XI7MN7SO2ENMXU3EJNVNWKSLVJZTEC\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"rpm-ostree\", rpm:\"rpm-ostree~2017.3~2.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "redhat": [{"lastseen": "2018-10-06T08:23:58", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "7", "packageVersion": "2017.1-5.atomic.el7", "arch": "src", "packageName": "rpm-ostree", "packageFilename": "rpm-ostree-2017.1-5.atomic.el7.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2017.1-5.atomic.el7", "arch": "x86_64", "packageName": "rpm-ostree", "packageFilename": "rpm-ostree-2017.1-5.atomic.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2017.1-6.atomic.el7", "arch": "src", "packageName": "rpm-ostree-client", "packageFilename": "rpm-ostree-client-2017.1-6.atomic.el7.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2017.1-6.atomic.el7", "arch": "x86_64", "packageName": "rpm-ostree-client", "packageFilename": "rpm-ostree-client-2017.1-6.atomic.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2017.1-6.atomic.el7", "arch": "x86_64", "packageName": "rpm-ostree-client-debuginfo", "packageFilename": "rpm-ostree-client-debuginfo-2017.1-6.atomic.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2017.1-5.atomic.el7", "arch": "x86_64", "packageName": "rpm-ostree-debuginfo", "packageFilename": "rpm-ostree-debuginfo-2017.1-5.atomic.el7.x86_64.rpm", "operator": "lt"}], "description": "The rpm-ostree tool binds together the RPM packaging model with the OSTree model of bootable file system trees. It provides commands which can be used both on client systems as well as server-side composes. The rpm-ostree-client package provides commands usable on client systems to upgrade and rollback.\n\nThe following packages have been upgraded to a later upstream version: rpm-ostree (2017.1), rpm-ostree-client (2017.1). (BZ#1416089)\n\nSecurity Fix(es):\n\n* It was discovered that rpm-ostree and rpm-ostree-client fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default. (CVE-2017-2623)\n\nThis issue was discovered by Colin Walters (Red Hat).", "reporter": "RedHat", "published": "2017-03-03T03:32:52", "type": "redhat", "title": "(RHSA-2017:0444) Moderate: rpm-ostree and rpm-ostree-client security, bug fix, and enhancement update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2017-2623"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-03-03T22:40:38", "id": "RHSA-2017:0444", "href": "https://access.redhat.com/errata/RHSA-2017:0444", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
