Amazon Linux AMI : librabbitmq (ALAS-2020-1394)

🗓️ 20 Jul 2020 00:00:00Reported by TenableType

The remote Amazon Linux AMI host is missing a security update. An issue was discovered in amqp_handle_input in amqp_connection.c in rabbitmq-c 0.9.0. There is an integer overflow that leads to heap memory corruption in the handling of CONNECTION_STATE_HEADER

Reporter	Title	Published	Views	Family All 71
FreeBSD	RabbitMQ-C -- integer overflow leads to heap corruption	29 Oct 201900:00	–	freebsd
Amazon	Medium: librabbitmq	16 Jul 202000:00	–	amazon
Tenable Nessus	Alibaba Cloud Linux 3 : 0078: librabbitmq (ALINUX3-SA-2022:0078)	14 May 202500:00	–	nessus
Tenable Nessus	AlmaLinux 8 : librabbitmq (ALSA-2020:4445)	9 Feb 202200:00	–	nessus
Tenable Nessus	CentOS 8 : librabbitmq (CESA-2020:4445)	1 Feb 202100:00	–	nessus
Tenable Nessus	CentOS 7 : librabbitmq (RHSA-2020:3949)	20 Oct 202000:00	–	nessus
Tenable Nessus	Debian DLA-2022-1 : librabbitmq security update	9 Dec 201900:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP5 : librabbitmq (EulerOS-SA-2020-1116)	24 Feb 202000:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP8 : librabbitmq (EulerOS-SA-2020-1163)	25 Feb 202000:00	–	nessus
Tenable Nessus	Fedora 31 : librabbitmq (2019-8730b65158)	10 Dec 201900:00	–	nessus

Source	Link
access	www.access.redhat.com/security/cve/CVE-2019-18609
alas	www.alas.aws.amazon.com/ALAS-2020-1394.html
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2020-1394.
#

include('compat.inc');

if (description)
{
  script_id(138636);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/12/11");

  script_cve_id("CVE-2019-18609");
  script_xref(name:"ALAS", value:"2020-1394");

  script_name(english:"Amazon Linux AMI : librabbitmq (ALAS-2020-1394)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux AMI host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of librabbitmq installed on the remote host is prior to 0.1-0.2.hgfb6fca832fd2.3. It is, therefore, affected
by a vulnerability as referenced in the ALAS-2020-1394 advisory.

    An issue was discovered in amqp_handle_input in amqp_connection.c in rabbitmq-c 0.9.0. There is an integer
    overflow that leads to heap memory corruption in the handling of CONNECTION_STATE_HEADER. A rogue server
    could return a malicious frame header that leads to a smaller target_size value than needed. This
    condition is then carried on to a memcpy function that copies too much data into a heap buffer.
    (CVE-2019-18609)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-18609");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2020-1394.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update librabbitmq' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-18609");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/07/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:librabbitmq");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:librabbitmq-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:librabbitmq-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'librabbitmq-0.1-0.2.hgfb6fca832fd2.3.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'librabbitmq-0.1-0.2.hgfb6fca832fd2.3.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'librabbitmq-debuginfo-0.1-0.2.hgfb6fca832fd2.3.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'librabbitmq-debuginfo-0.1-0.2.hgfb6fca832fd2.3.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'librabbitmq-devel-0.1-0.2.hgfb6fca832fd2.3.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'librabbitmq-devel-0.1-0.2.hgfb6fca832fd2.3.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "librabbitmq / librabbitmq-debuginfo / librabbitmq-devel");
}

11 Dec 2024 00:00Current

8.3High risk

Vulners AI Score8.3

CVSS 27.5

CVSS 3.19.8

EPSS0.03317