Apache Spark < 2.4.6 RCE (CVE-2020-9480)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, inc.
##

include('compat.inc');

if (description)
{
  script_id(172445);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/08/30");

  script_cve_id("CVE-2020-9480");
  script_xref(name:"CEA-ID", value:"CEA-2021-0025");

  script_name(english:"Apache Spark < 2.4.6 RCE (CVE-2020-9480)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host contains a web application that is affected by a remote command execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require 
authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to 
the master can succeed in starting an application's resources on the Spark cluster, even without the shared 
key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters 
using other resource managers (YARN, Mesos, etc). 

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://spark.apache.org/security.html#CVE-2020-9480");
  script_set_attribute(attribute:"solution", value:
"Upgrade Apache Spark to 2.4.6, 3.0.0, or  later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-9480");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/06/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/06/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/03/10");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:spark");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("apache_spark_detect.nbin");
  script_require_keys("installed_sw/Apache Spark", "Settings/ParanoidReport");
  script_require_ports("Services/www", 7077, 8080, 8081, 9090, 6066, 4040, 18080);

  exit(0);
}

include('vcf.inc');

var app = 'Apache Spark';
get_install_count(app_name:app, exit_if_zero:TRUE);
var app_info = vcf::combined_get_app_info(app:app);

# We can't check whether they're using other resource managers
if (report_paranoia < 2) audit(AUDIT_PARANOID);

var constraints = [
  { "fixed_version" : "2.4.6", "fixed_display" : '2.4.6 or 3.0.0'}
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);