AlmaLinux 9 : rpm (ALSA-2024:0463)

🗓️ 26 Jan 2024 00:00:00Reported by TenableType

The remote AlmaLinux 9 host is affected by multiple vulnerabilities in rpm, potentially allowing local unprivileged users to gain root privileges and escalate privileges

Reporter	Title	Published	Views	Family All 271
IBM Security Bulletins	Security Bulletin: IBM Storage Ceph is vulnerable to an Improper Link Resolution Before File Access in the RHEL UBI (CVE-2021-35938)	5 Aug 202419:42	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities have been identified with the DS8900F and DS8A00 Hardware Management Console (HMC)	27 May 202523:25	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Storage Ceph is vulnerable to Improper Link Resolution Before File Access or Time-of-check Time-of-use Race Condition in the RHEL UBI (CVE-2021-35937)	5 Aug 202421:36	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Storage Ceph is vulnerable to an Improper Link Resolution Before File Access ('Link Following') in the RHEL UBI (CVE-2021-35939)	5 Aug 202420:08	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities	18 Aug 202514:19	–	ibm
IBM Security Bulletins	Security Bulletin: App Connect Enterprise Certified Container UBI updates	7 Mar 202414:53	–	ibm
FreeBSD	rpm4 -- Multiple Vulnerabilities	22 Aug 202200:00	–	freebsd
Tenable Nessus	Amazon Linux 2023 : python3-rpm, rpm, rpm-apidocs (ALAS2023-2024-573)	21 Mar 202400:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0030: rpm (ALINUX3-SA-2024:0030)	14 May 202500:00	–	nessus
Tenable Nessus	AlmaLinux 8 : rpm (ALSA-2024:0647)	2 Feb 202400:00	–	nessus

Source	Link
errata	www.errata.almalinux.org/9/ALSA-2024-0463.html
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# AlmaLinux Security Advisory ALSA-2024:0463.
##

include('compat.inc');

if (description)
{
  script_id(189627);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/26");

  script_cve_id("CVE-2021-35937", "CVE-2021-35938", "CVE-2021-35939");
  script_xref(name:"ALSA", value:"2024:0463");

  script_name(english:"AlmaLinux 9 : rpm (ALSA-2024:0463)");

  script_set_attribute(attribute:"synopsis", value:
"The remote AlmaLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ALSA-2024:0463 advisory.

  - A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass
    the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root
    privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as
    system availability. (CVE-2021-35937)

  - A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials
    after installing a file. A local unprivileged user could use this flaw to exchange the original file with
    a symbolic link to a security-critical file and escalate their privileges on the system. The highest
    threat from this vulnerability is to data confidentiality and integrity as well as system availability.
    (CVE-2021-35938)

  - It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only
    implemented for the parent directory of the file to be created. A local unprivileged user who owns another
    ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this
    vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-35939)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://errata.almalinux.org/9/ALSA-2024-0463.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:M/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-35939");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(367, 59);

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/08/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/01/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/01/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:python3-rpm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:rpm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:rpm-apidocs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:rpm-build");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:rpm-build-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:rpm-cron");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:rpm-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:rpm-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:rpm-plugin-audit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:rpm-plugin-fapolicyd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:rpm-plugin-ima");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:rpm-plugin-selinux");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:rpm-plugin-syslog");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:rpm-plugin-systemd-inhibit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:rpm-sign");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:rpm-sign-libs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::appstream");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::baseos");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::crb");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::highavailability");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::nfv");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::realtime");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::resilientstorage");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::sap");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::sap_hana");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::supplementary");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Alma Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AlmaLinux/release", "Host/AlmaLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/AlmaLinux/release');
if (isnull(os_release) || 'AlmaLinux' >!< os_release) audit(AUDIT_OS_NOT, 'AlmaLinux');
var os_ver = pregmatch(pattern: "AlmaLinux release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');
os_ver = os_ver[1];
if (! preg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'AlmaLinux 9.x', 'AlmaLinux ' + os_ver);

if (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);

var pkgs = [
    {'reference':'python3-rpm-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rpm-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rpm-apidocs-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rpm-build-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rpm-build-libs-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rpm-cron-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rpm-devel-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rpm-libs-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rpm-plugin-audit-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rpm-plugin-fapolicyd-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rpm-plugin-ima-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rpm-plugin-selinux-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rpm-plugin-syslog-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rpm-plugin-systemd-inhibit-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rpm-sign-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'rpm-sign-libs-4.16.1.3-27.el9_3', 'release':'9', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'Alma-' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python3-rpm / rpm / rpm-apidocs / rpm-build / rpm-build-libs / etc');
}

26 Jan 2024 00:00Current

6.6Medium risk

Vulners AI Score6.6

CVSS 27.2

CVSS 37.3 - 7.8

CVSS 3.16.7

EPSS0.00202