Amazon Linux 2 : flatpak (ALAS-2019-1219)

2019-05-3100:00:00

www.tenable.com

Flatpak allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the controlling terminal so that they would be executed outside the sandbox after the sandboxed app exits. This fix was incomplete: on 64-bit platforms, the seccomp filter could be bypassed by an ioctl request number that has TIOCSTI in its 32 least significant bits and an arbitrary nonzero value in its 32 most significant bits, which the Linux kernel would treat as equivalent to TIOCSTI.(CVE-2019-10063)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2019-1219.
#

include("compat.inc");

if (description)
{
  script_id(125602);
  script_version("1.2");
  script_cvs_date("Date: 2020/01/13");

  script_cve_id("CVE-2019-10063");
  script_xref(name:"ALAS", value:"2019-1219");

  script_name(english:"Amazon Linux 2 : flatpak (ALAS-2019-1219)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Amazon Linux 2 host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Flatpak allows a sandbox bypass. Flatpak versions since 0.8.1 address
CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from
using the TIOCSTI ioctl, which could otherwise be used to inject
commands into the controlling terminal so that they would be executed
outside the sandbox after the sandboxed app exits. This fix was
incomplete: on 64-bit platforms, the seccomp filter could be bypassed
by an ioctl request number that has TIOCSTI in its 32 least
significant bits and an arbitrary nonzero value in its 32 most
significant bits, which the Linux kernel would treat as equivalent to
TIOCSTI.(CVE-2019-10063)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://alas.aws.amazon.com/AL2/ALAS-2019-1219.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Run 'yum update flatpak' to update your system."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:flatpak");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:flatpak-builder");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:flatpak-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:flatpak-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:flatpak-libs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/31");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Amazon Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (rpm_check(release:"AL2", reference:"flatpak-1.0.2-5.amzn2.0.1")) flag++;
if (rpm_check(release:"AL2", reference:"flatpak-builder-1.0.0-5.amzn2.0.1")) flag++;
if (rpm_check(release:"AL2", reference:"flatpak-debuginfo-1.0.2-5.amzn2.0.1")) flag++;
if (rpm_check(release:"AL2", reference:"flatpak-devel-1.0.2-5.amzn2.0.1")) flag++;
if (rpm_check(release:"AL2", reference:"flatpak-libs-1.0.2-5.amzn2.0.1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "flatpak / flatpak-builder / flatpak-debuginfo / flatpak-devel / etc");
}

VendorProductVersionCPE
amazonlinuxflatpakp-cpe:/a:amazon:linux:flatpak
amazonlinuxflatpak-builderp-cpe:/a:amazon:linux:flatpak-builder
amazonlinuxflatpak-debuginfop-cpe:/a:amazon:linux:flatpak-debuginfo
amazonlinuxflatpak-develp-cpe:/a:amazon:linux:flatpak-devel
amazonlinuxflatpak-libsp-cpe:/a:amazon:linux:flatpak-libs
amazonlinux2cpe:/o:amazon:linux:2

Vendor	Product	Version	CPE
amazon	linux	flatpak	p-cpe:/a:amazon:linux:flatpak
amazon	linux	flatpak-builder	p-cpe:/a:amazon:linux:flatpak-builder
amazon	linux	flatpak-debuginfo	p-cpe:/a:amazon:linux:flatpak-debuginfo
amazon	linux	flatpak-devel	p-cpe:/a:amazon:linux:flatpak-devel
amazon	linux	flatpak-libs	p-cpe:/a:amazon:linux:flatpak-libs
amazon	linux	2	cpe:/o:amazon:linux:2